I’m new to MQTT and TLS/SSL.
I was hoping someone could link me to a manual section or informaiton regarding setting up a secure connection between the Ignition MQTT engine and Chariot server. I’m getting hung up on obtaining the certificates for each.
I see that there was once a video describing this but it looks like it was deleted.
See this doc: Chariot MQTT Server Configuration - Chariot MQTT Server v2 Documentation - Confluence
Also, this may be helpful: Secure MQTT Communication using SSL or TLS - MQTT Modules for Ignition 8.x - Confluence
Thanks Wes, that helps a lot.
Wherw I’m getting stuck now is on installing the CA certificate. Ignition tutorials and videos seem to rely on self signed certificates which work but you will always get the browser warning message. They also recommend purchasing a CA from a signing authority for production systems and not using self-signed ones except for testing. My understanding is I will need a certidicate for both the Ignition/engine subscriber as well as the Chariot server.
So my next question is how do I implement a signed CA when the servers I am installing them on are not internet facing?
Using a ‘real CA’ is only required or even possible when using the public Internet. Part of a CA’s job is to validate that the FQDN you specify as your ‘Common Name’ in the certificate is in fact one you own. This then tells any client connecting that because they trust that CA, and they trust the due diligence performed by the CA, that in turn they trust that given certificate. It is a crucial part of establishing a ‘chain of trust’.
Since you are going to be running over a private network, you do not need (and actually can’t use) a ‘real CA’ because there is no public FQDN the CA can use to validate ownership. So, if you want to use TLS over your private network you must create your own CA. This is a straight forward tutorial I’ve used in the past and recommend for doing this: Create the root pair — OpenSSL Certificate Authority — Jamie Nguyen
As for ‘what goes where’ after you get your CA, intermediate cert, server cert, etc all generated, this is what you will need on each system:
MQTT Engine (or any other client) only requires the root CA because of the chain of trust. By using the public root CA cert on Engine, you are basically telling MQTT Engine that you trust that root CA. Therefore, you trust anything it has signed including the intermediate cert which in turn signed the server cert.
I think going through the tutorial of generating the CA should make things a bit clearer.
I should note this is how TLS communications work on Internet websites too. Operating Systems and Web Browsers ship with a default set of trusted CAs. This is how trust is established with all reputable websites on the Internet. Because you trust the CAs, you (or rather your browser) inherently trusts the certs they sign. This is why you get a warning in your browser if a website is not signed by a trusted CA. After you create your own CA, you can load the CA’s public cert into your browser which will prevent that warning from coming up.
There is some more good info on our own docs site here: Setting up SSL Connections using Client Side Certificates - Chariot MQTT Server v2 Documentation - Confluence
Thanks Wes. As you have probably guessed I am new to all this. However, I did find the doc you referenced. Extremely informative. I installed Git for windows in order to access the OpenSSL library and have generated teh keys. I am setting up the server side now.
Now I am stuck at updating Truststore. I am at the part of the above rerenced process where I enter the following command:
keytool -importcert -file ca/engine/engineCA.crt -keystore <chariot_install_dir>/security/clientcerts.jks -alias ca/engine/engineca
keytool aborts with an error. “Illegal option: Files\chariot_windows\security\clientcerts.jks”
I was able to trace the source to keytool not liking spaces in the directory names in the filepath. since I installed Chariot in the c:/Program Files directory, it balks at the space in between Program and Files. I can sort of get by it by using a “_” character instead of the space but after it asks if I trust teh certificate it fails again with:
“keytool error: java.io.FileNotFoundException: \Program_Files\chariot_windows\security\security\clientcerts.jks (The system cannot find the path specified)”
Is there a way around this or do I need to re-install the server? Maybe directly in the root?
I figured it out. I re-isntalled the server in the root. I was able to update the keys and finish the procdure. I have established TLS between the Engine and Chariot.