[Solved] Generating CA certificate file, certificate file and private key file from mqtt-ca.pem

Hello

I would like using a TLS mqtt connection to my application, but I need to install a CA certificate file, a certificate file and a private key file.

TTN provides just a .pem file. How can I extract the needed files out of it?

I do not think that ttn provides any certificates or private keys. Did you seen this info Secure MQTT APIs now using Let's Encrypt certificates

1 Like

there is a reason they are called private keys and they should never be shared …

Yes, I agree, but how can I generate these three files with the .pem file?

You cannot! Sorry.
The effort to secure communication is always good. But maybe you describe a bit better where you want to install CA/cert/key. Which components/services are involved on client/server side?
Maybe this helps too: https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

…and above all, you don’t need to:

…which says:

@bsiege @arjanvanb Thx for your support guys.

Here are some more info about what I like to do:
I’m using thingsboard and thingsboard provides to enable a secure mqtt communication to eu.thethings.network.

Actually I’m using Basic authentication, which needs the username and password. Here I take the application ID and the access key of my ttn application. With this setting the communication runs good, but it is not secure.

Now I like to use the PEM authentication. For that, thingsboard asks for a “CA certificate file”, a “Certificate file”, a “private key file” and a private key password.
Apparently I can generate this files by Let’s Encrypt and openssl - right?

I actually just have no idea how to do, to finally connect to the ttn mqtt broker.

Unless TTN is doing something I’ve not heard of, there’s no such thing.

You’ll always have to use the username and password. On top of that, to avoid those being sent readable for some middle man, you can also encrypt the communications. The authentication won’t change; it’s just that the communication is different.

(I don’t think TTN supports something comparable to using public/private key authentication when using SSH towards some remote server, which then no longer needs a username/password, but instead would need you to configure your public key on that remote server—if that’s what you’re expecting. Instead, it’s comparable to using HTTP vs HTTPS for websites, regardless if the website allows you to authenticate with some username and password.)

I’d assume ThingsBoard would simply allow you to enable some “secure” option for MQTT (which would then use TLS and port 8883 rather than 1883). If not, then please show us some link of the relevant ThingsBoard documentation.

Yes, there is no such thing like PEM authentication. Pem is a container name for many cryptographic files. Since you named ThingsBoard which i do not know i can only assume, that you want do some sort of cert pinning which is reasonable. But it is also ressource intensive.
If i look at the fine manual i think it is described quite good: https://thingsboard.io/docs/user-guide/certificates/ And maybe token-based over ssl is good enough for transport security. Start here: https://thingsboard.io/docs/user-guide/mqtt-over-ssl/

That’s for an MQTT server?

ThingsBoard provides the ability to run MQTT server over SSL.

I’d assume that @affoltep wants to connect to TTN’s MQTT server, not host some server himself.

@affoltep if indeed this is about setting up an MQTT server (rather than using some client to connect to TTN’s server), then I’d say TTN’s PEM is not relevant at all. (And the question is not related to TTN at all.)

@arjanvanb, @bsiege

Apparantly I can simply use MQTT over SSL. I just had to enable the SSL checkbox and change to port 8883 in thingsboard. Now the data transfer seems to be encrypted.

The PEM authentication from TB doesn’t seem to be possible for TTN.

Thx again for your support

1 Like

My words. But never underestimate Google!! Search something that not exist and you will find it. And nobody tells you that you simply name the thing wrong :wink: Set up PEM key authentication