I have an MQTT broker with ActiveMQ on an Ubuntu server with Windows clients. Now I want to enable SSL. I found the tutorial, but I have a question.
This step 1: I do on Mqtt broker activemq
Step 1 Create a certificate for the broker with keytool:
keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
Step 2 export the broker’s certificate so it can be shared with clients: This action on MQTT broker Server. Certificat will be installed on Windows cleint.
keytool -export -alias broker -keystore broker.ks -file broker_cert
Step 3 see below Create a certificate/keystore for the client:
Do I need this step? where to perform this step? On client or Mqtt broker server? but there are windows cleint.
keytool -genkey -alias client -keyalg RSA -keystore client.ks
*Step 4. Do I need this step? where to perform this step? On client or MQTT broker server? but there are windows client.
Create a truststore for the client, and import the broker’s certificate. This will ensure that the client "trusts" the broker:*
keytool -import -alias broker -keystore client.ts -file broker_cert
What do I have to do now to make the broker and the windows client use the certificate?
2
Answers
@Pavlovich I installed the certificate on client. I change
activeqm.xml
like:I'm trying to test the connection with a certificate using mqtt fx and it doesn't work. i keep getting mqtt exception
Thx
The instructions cover both the broker-side and client-side.
The broker hosts the self-signed SSL certificate to hand out on SSL connections, and the client needs the key in a ‘truststore’ to allow the key from the broker since it is self-signed and not from one of the public SSL key signers that are already provided by most OS and dev stacks.
Keep in mind– SSL encrypts the traffic, but also maintains ‘who to trust’. Just b/c some server hands out a SSL key, doesn’t mean the client should simply encrypt and start passing data to that server.
EDIT: Some config samples
At minimum:
Advanced ref: https://activemq.apache.org/ssl-transport-reference