Configure TLS without client certificate

The following are required:
  • A Certificate Authority (CA) certificate of the CA that has signed the Broker certificate.
  • CA certificated Broker certificate.
  • Server Private key for decryption.
  • OpenSSL installed on the device.
IMPORTANT: Do not use encryption for the server certificate when generating keys (the -ds3 switch). This creates a password protected key which the broker is unable to decode.
  1. In Command Prompt, create a CA key pair by entering:
    openssl genrsa -des3 -out ca.key 2048
  2. Create CA certificate and use the CA key from step 1 to sign it:
    openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
  3. Create a broker key pair don’t password protect:
    openssl genrsa -out server.key 2048
  4. Create a broker certificate request using key from step 3:
    openssl req -new -out server.csr -key server.key
  5. Use the CA certificate to sign the broker certificate request from step 4:
    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
  6. Place all files in a single directory on the MQTT broker.
  7. Copy the CA certificate file to the MQTT client.
  8. Edit the
    FactoryTalk Optix
     client security properties to use the CA certificate.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.