Broker-Client TLS Configuration
Configure Transport Layer Security (TLS) to ensure secure encrypted connection between the MQTT Broker and Clients.
These ways of making TLS connection between client and broker are available:
- without a client certificate
- with a client certificate
For more information, see:
https://mosquitto.org/man/mosquitto-tls-7.html - contains information how to generate all required certificates.
https://www.openssl.org/source/ - to get openssl install package
TIP:
You must use the Privacy Enhanced Mail (PEM) format for certificates, certificate signing requests, and cryptographic keys. PEM files can have the following extensions:
.pem
, .key
, .cer
, .cert
, .crt
. TLS configuration without client certificate
Create an encrypted connection between the MQTT broker and the MQTT client without client certificate. Only a trusted CA certificate on the
FactoryTalk Optix
client is required.TLS configuration with client certificate
A client certificate identifies the client just like the server certificate identifies the server.
As with username and password authentication, the broker decides whether or not a clients need to supply a certificate.
You can use certificates in combination with username and password authentication.
Both client and server certificates are primarily used for authentication, not encryption of communication.
TIP:
When a client connects to a server over SSL/TLS, the server presents its SSL/TLS certificate to the client to prove its identity. The client verifies the authenticity of the server's certificate using a chain of trust, typically involving a trusted Certificate Authority (CA).
Once the server identity is verified, the client and server establish a secure communication channel.
Provide Feedback