Hi, to extend my knowledge, I would like to bridge my server racks at my workshop and office.
I have some experience with MQTT; for my 105-site customer, the CTO issues me with site certs for the MQTT instances. We use an MQTT broker on AWS, the details of that I’m not so sure as I wasn’t involved in the config.
For my setup, on the server (office), the Cirrus MQTT Distributor, and Engine module will be installed (waiting on 8.3.3). And on the Groov EPIC (Workshop), Ignition Edge with MQTT Transmission. I think I’ve read a topic where I need to tick one box in advanced settings to allow 8.3 to have comms with 8.1 Edge. I’ll search that again.
How do I go about generating the 3 certs? Root CA, Private Cert, Private Key?
This is with the GAN isnt it? Not MQTT?
I use Let's Encrypt for cert generation there's a lot of different guides available for using it for simple SSL Certs.
I will be using MQTT, I’ll see if I can find that topic.
Let’s encrypt can do all three certs I need?
Your TLS/SSL package looks like this:
Root CA: This is the chain that proves the validity of the Private Certificate and also the Private Key.
Private Certificate: This is the proof that you are who you are, and that is proved by referencing the Root CA that signed the Certificate to say that the Root CA verifies that this is true.
Private Key: This is the bit that you use to encrypt the data being sent. This data can only be decrypted with the Private Certificate that belongs to it.
Public Key: This is the key that enables data signed with the Private Key to be decrypted by the end user of the data. This is the critical bit that gets shared to devices that wish to read the data from your server.
All four of these parts are part of a certificate signing request and the last three need to be generated together with input from the Root CA. This is the whole process of obtaining a "certificate"
1 Like
I had a read and google too. Does LE fall under “self-signed” or “real-signed”?
Self Signed is where you generate your own Certificate Authority and use that to sign your certs.
"Real" Signed is where a third party (Who are verifiable right back to a trusted Root Certificate) sign the certificate, proving the chain back to the Root Certificate Authority.
LE have a verifiable chain to a trusted Root CA, so its then shown in a normal browser as "Trusted"
2 Likes