These instructions will guide you through the required steps of setting up a
certificate chain for the MQTT driver. In this example WinCC OA and the
Mosquitto are used.
Create a Root CA, see Create the root pair (OpenSSL CA).
Create an intermediate CA, see Create the intermediate pair (OpenSSL CA) .
The intermediate CA is required to create the server and client
certificates.
Create server and client certificates, see Sign server and client certificates (OpenSSL
CA) .
Setup your Mosquitto configuration.
To configure Mosquitto the .conf file must be adapted and the certificates
must be supplied.
Update the .config file:
listener 8883
protocol mqtt
certfile <path-to-server-public-key>
keyfile <path-to-server-private-key>
require_certificate true
cafile <path-to-ca-public-key>
allow_anonymous true
Start Mosquitto.
Run following command to start the Mosquitto broker:
mosquitto.exe -c <myConf>.conf [-v]
-c - indicates the configuration files which shall be used
-v - log level verbose (optional)
Configure the WinCC OA MQTT driver.
Note: The certificates in mqtt/cert/certs must be named
alphabetically ascending, so that the leave-certificate is the very
first one.
Create the certificate structure within your project.
mqtt
└─cert
│ ca.crt
├─certs
│ client.crt
│ intermediate.crt
└─private
client.key
Figure 1 . Project Certificate Folder - mqtt/cert/
Figure 2 . Project Certificate Folder - mqtt/cert/certs/
Figure 3 . Project Certificate Folder - mqtt/cert/private/
Configure the MQTT driver within the configuration panel.
Figure 4 . MQTT driver - Connection Settings
Figure 5 . MQTT driver - Certificate Settings