skip to Main Content

I have an MQTT broker with ActiveMQ on an Ubuntu server with Windows clients. Now I want to enable SSL. I found the tutorial, but I have a question.

This step 1: I do on Mqtt broker activemq

Step 1 Create a certificate for the broker with keytool:

keytool -genkey -alias broker -keyalg RSA -keystore broker.ks

Step 2 export the broker’s certificate so it can be shared with clients: This action on MQTT broker Server. Certificat will be installed on Windows cleint.

keytool -export -alias broker -keystore broker.ks -file broker_cert

Step 3 see below Create a certificate/keystore for the client:
Do I need this step? where to perform this step? On client or Mqtt broker server? but there are windows cleint.

keytool -genkey -alias client -keyalg RSA -keystore client.ks

*Step 4. Do I need this step? where to perform this step? On client or MQTT broker server? but there are windows client.

Create a truststore for the client, and import the broker’s certificate. This will ensure that the client "trusts" the broker:*

keytool -import -alias broker -keystore client.ts -file broker_cert

What do I have to do now to make the broker and the windows client use the certificate?

2

Answers


  1. Chosen as BEST ANSWER

    @Pavlovich I installed the certificate on client. I change activeqm.xml like:

    transportConnector name="ssl" uri="ssl://0.0.0.0:61714?transport.enabledProtocols=TLSv1.2"/>
    

    I'm trying to test the connection with a certificate using mqtt fx and it doesn't work. i keep getting mqtt exception

    ERROR --- BrokerConnectService           : MqttException
    

    Thx


  2. The instructions cover both the broker-side and client-side.

    The broker hosts the self-signed SSL certificate to hand out on SSL connections, and the client needs the key in a ‘truststore’ to allow the key from the broker since it is self-signed and not from one of the public SSL key signers that are already provided by most OS and dev stacks.

    Keep in mind– SSL encrypts the traffic, but also maintains ‘who to trust’. Just b/c some server hands out a SSL key, doesn’t mean the client should simply encrypt and start passing data to that server.

    EDIT: Some config samples

    At minimum:

    <broker ..
      .. 
      <sslContext>
        <sslContext keyStore="broker1-keystore.ks"
                    keyStorePassword="password"/>
      </sslContext>
      ..
    </broker>
    

    Advanced ref: https://activemq.apache.org/ssl-transport-reference

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search