Solutions
...
LE Sparkplug Edge Node
Environment Variables

TLS Certs

6min

Overview

Transport Layer Security (TLS) can be used to establish a secure, encrypted connection between the LE Sparkplug Edge Node and your MQTT broker(s). This requires providing specific certificate information during configuration.

Prerequisites

To configure TLS, you will need the following files, typically provided by your MQTT broker administrator or your organization's security team:

  • CA Certificate (ca_cert): The certificate of the Certificate Authority (CA) that signed the MQTT broker's server certificate. This is used to verify the broker's identity.
  • Client Certificate (client_cert): The public certificate for this specific LE Sparkplug Edge Node client. The broker uses this to verify the client's identity (mutual TLS/mTLS).
  • Client Private Key (client_key): The corresponding private key for the client certificate. This must be kept secret.

Step 1: Encode Certificates to Base64

The application requires the content of these certificate/key files to be provided as Base64-encoded strings within the configuration.

Encoding Methods:

  • Online Tools:
    1. Open your certificate or key file (e.g., my_ca.pem, client.crt, client.key) in a text editor.
    2. Copy the entire content, including the -----BEGIN...----- and -----END...----- lines.
    3. Paste the content into an online Base64 encoder (like base64encode.org) and click "Encode".
    4. Copy the resulting Base64 string.
    5. Repeat for each required file (CA cert, client cert, client key).
  • Command Line (Linux/macOS):

    Bash
    

    (The -w 0 flag prevents line wrapping in the output)

  • Command Line (Windows PowerShell):

    PowerShell
    

Step 2: Add Base64 Strings to Configuration

Once you have the Base64-encoded strings, add them to your configuration:

Method 1: Configuration File (config.json)

Add the ca_cert, client_cert, and client_key fields to the relevant server object within the mqtt.servers array. Also, ensure the url starts with ssl:// or tls:// (depending on broker requirements) and includes the correct TLS port (e.g., 8883).

JSON


Method 2: Environment Variable (MQTT_SERVERS)

Embed the Base64 strings directly into the JSON string assigned to the MQTT_SERVERS environment variable. Remember to handle shell escaping carefully.

Bash


(Base64 strings abbreviated for clarity. Ensure the entire string is included.)

TLS Configuration Fields

  • ca_cert (String, Base64): The CA certificate used to verify the server.
  • client_cert (String, Base64): The client's public certificate.
  • client_key (String, Base64): The client's private key.
  • skip_cert_verify (Boolean): Defaults to false. If set to true, the client will not verify the broker's certificate against the provided ca_cert. This disables protection against man-in-the-middle attacks and should only be used for specific testing scenarios, never in production.