Setup a Certificate Chain between WinCC OA and Mosquito Broker

These instructions will guide you through the required steps of setting up a certificate chain for the MQTT driver. In this example WinCC OA and the Mosquitto are used.

  1. Create a Root CA, see Create the root pair (OpenSSL CA).
  2. Create an intermediate CA, see Create the intermediate pair (OpenSSL CA).
    The intermediate CA is required to create the server and client certificates.
  3. Create server and client certificates, see Sign server and client certificates (OpenSSL CA).
  4. Setup your Mosquitto configuration.
    To configure Mosquitto the .conf file must be adapted and the certificates must be supplied.
    1. Update the .config file: 
      listener 8883
protocol mqtt
certfile <path-to-server-public-key>
keyfile <path-to-server-private-key>
require_certificate true
cafile <path-to-ca-public-key>
allow_anonymous true
    2. Start Mosquitto.
      Run following command to start the Mosquitto broker: 
      mosquitto.exe -c <myConf>.conf [-v]
      • -c - indicates the configuration files which shall be used
      • -v - log level verbose (optional)
  5. Configure the WinCC OA MQTT driver.
    1. Note: The certificates in mqtt/cert/certs must be named alphabetically ascending, so that the leave-certificate is the very first one.
      Create the certificate structure within your project. 
      mqtt
└─cert
  │  ca.crt
  ├─certs
  │  client.crt
  │  intermediate.crt
  └─private
     client.key
      Figure 1. Project Certificate Folder - mqtt/cert/
      Figure 2. Project Certificate Folder - mqtt/cert/certs/
      Figure 3. Project Certificate Folder - mqtt/cert/private/
    2. Configure the MQTT driver within the configuration panel.
      Figure 4. MQTT driver - Connection Settings
      Figure 5. MQTT driver - Certificate Settings