TLS Certs

overview transport layer security (tls) can be used to establish a secure, encrypted connection between the le sparkplug edge node and your mqtt broker(s) this requires providing specific certificate information during configuration prerequisites to configure tls, you will need the following files, typically provided by your mqtt broker administrator or your organization's security team ca certificate ( ca cert ) the certificate of the certificate authority (ca) that signed the mqtt broker's server certificate this is used to verify the broker's identity client certificate ( client cert ) the public certificate for this specific le sparkplug edge node client the broker uses this to verify the client's identity (mutual tls/mtls) client private key ( client key ) the corresponding private key for the client certificate this must be kept secret step 1 encode certificates to base64 the application requires the content of these certificate/key files to be provided as base64 encoded strings within the configuration encoding methods online tools open your certificate or key file (e g , my ca pem , client crt , client key ) in a text editor copy the entire content , including the begin and end lines paste the content into an online base64 encoder (like base64encode org) and click "encode" copy the resulting base64 string repeat for each required file (ca cert, client cert, client key) command line (linux/macos) # example for ca certificate base64 w 0 my ca pem \# example for client certificate base64 w 0 client crt \# example for client private key base64 w 0 client key (the w 0 flag prevents line wrapping in the output) command line (windows powershell) # example for ca certificate \[convert] tobase64string(\[io file] readallbytes("my ca pem")) \# example for client certificate \[convert] tobase64string(\[io file] readallbytes("client crt")) \# example for client private key \[convert] tobase64string(\[io file] readallbytes("client key")) step 2 add base64 strings to configuration once you have the base64 encoded strings, add them to your configuration method 1 configuration file ( config json ) add the ca cert , client cert , and client key fields to the relevant server object within the mqtt servers array also, ensure the url starts with ssl // or tls\ // (depending on broker requirements) and includes the correct tls port (e g , 8883) { "edge api token" "0iriyynzv5xjac1aupqxm4j2tzuls5pf", "mqtt" { "servers" \[ { "url" "ssl //mqtt example com 8883", "user" "myuser", "password" "mypassword", "ca cert" "ls0tls1crudjtibdrvjusuzjq0futck1jsuvkakndqwrzq0 ", "client cert" "ls0tls1crudjtibsu0egufvcteldietfws0tprd0lc ", "client key" "ls0tls1crudjtibsu0egufjjvkfursblrvktulcrxdf ", "skip cert verify" false }, { "url" "tcp\ //192 168 56 1 1883", "username" "", "password" "" } ], "client id" "", "client id suffix" "", "connect timeout" "30s", "write timeout" "3s", "keepalive" 30 }, "group id" "le group", "node id" "le node", "primary host support" true, "primary host id" "le 97is6vf", "le logging level" "info" } method 2 environment variable ( mqtt servers ) embed the base64 strings directly into the json string assigned to the mqtt servers environment variable remember to handle shell escaping carefully \# example docker run fragment docker run \\ e mqtt servers='\[{\\"url\\" \\"ssl //mqtt secure com 8883\\",\\"user\\" \\"mytlsuser\\",\\"password\\" \\"mytlspassword\\",\\"ca cert\\" \\"ls0tls1cr \\",\\"client cert\\" \\"ls0tls1c \\",\\"client key\\" \\"ls0tls1c \\",\\"skip cert verify\\"\ false}]' \\ (base64 strings abbreviated for clarity ensure the entire string is included ) tls configuration fields ca cert (string, base64) the ca certificate used to verify the server client cert (string, base64) the client's public certificate client key (string, base64) the client's private key skip cert verify (boolean) defaults to false if set to true , the client will not verify the broker's certificate against the provided ca cert this disables protection against man in the middle attacks and should only be used for specific testing scenarios, never in production