Skip to main content

MQTTS (TLS) using the M1-N1

Steve Poulsen
Updated

An MQTTS connection is an MQTT connection wrapped in a TLS secure layer. This connection may require authentication of the server only, but usually will require device authentication. This requires using the servers certificate as well as a device certificate and key. The test site, test.mosquitto.org, has instructions on creating the device key and certificate https://test.mosquitto.org/ssl/. Once your key and CSR are created, paste the CSR into the box and submit. This will give you a device certificate. You use the key and certificate, and not the CSR, to make the connection. This example demonstrates the loading the certificates and keys, and using the built-in mqtt protocol to establish a secure connection.

First we must load the certificates and keys for the site we want to connect to and the device. This is done once for the life of the product, but care must be taken to notice that each certificate has an expiration data and that you have a way to update expired certificates. It can become impossible to update a certificate remotely, if you rely on the expired certificate for the connection that is managing your updates. It is necessary to update it before it expires, or to use a different certificate/connection strictly for FOTA updates of the certificates.

The Signetik IoT API has a variable sectagq which is used to set the security tag for queries and setting certificates, without changing the security tag being used for your connection. The security tag is a number that can be quite large, but it is best to use numbers under 1000, unless you check Nordic documentation to avoid overwriting some default certificates.

Set the security tag where the certificate is to be loaded.

+set,sectagq:24

You should see the following response for success.

+rsp,sectagq:24

Next load the certificate, one time for all future connections.

 

+set,cacert:"-----BEGIN CERTIFICATE-----
MIIEAzCCAuugAwIBAgIUBY1hlCGvdj4NhBXkZ/uLUZNILAwwDQYJKoZIhvcNAQEL
BQAwgZAxCzAJBgNVBAYTAkdCMRcwFQYDVQQIDA5Vbml0ZWQgS2luZ2RvbTEOMAwG
A1UEBwwFRGVyYnkxEjAQBgNVBAoMCU1vc3F1aXR0bzELMAkGA1UECwwCQ0ExFjAU
BgNVBAMMDW1vc3F1aXR0by5vcmcxHzAdBgkqhkiG9w0BCQEWEHJvZ2VyQGF0Y2hv
by5vcmcwHhcNMjAwNjA5MTEwNjM5WhcNMzAwNjA3MTEwNjM5WjCBkDELMAkGA1UE
BhMCR0IxFzAVBgNVBAgMDlVuaXRlZCBLaW5nZG9tMQ4wDAYDVQQHDAVEZXJieTES
MBAGA1UECgwJTW9zcXVpdHRvMQswCQYDVQQLDAJDQTEWMBQGA1UEAwwNbW9zcXVp
dHRvLm9yZzEfMB0GCSqGSIb3DQEJARYQcm9nZXJAYXRjaG9vLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAME0HKmIzfTOwkKLT3THHe+ObdizamPg
UZmD64Tf3zJdNeYGYn4CEXbyP6fy3tWc8S2boW6dzrH8SdFf9uo320GJA9B7U1FW
Te3xda/Lm3JFfaHjkWw7jBwcauQZjpGINHapHRlpiCZsquAthOgxW9SgDgYlGzEA
s06pkEFiMw+qDfLo/sxFKB6vQlFekMeCymjLCbNwPJyqyhFmPWwio/PDMruBTzPH
3cioBnrJWKXc3OjXdLGFJOfj7pP0j/dr2LH72eSvv3PQQFl90CZPFhrCUcRHSSxo
E6yjGOdnz7f6PveLIB574kQORwt8ePn0yidrTC1ictikED3nHYhMUOUCAwEAAaNT
MFEwHQYDVR0OBBYEFPVV6xBUFPiGKDyo5V3+Hbh4N9YSMB8GA1UdIwQYMBaAFPVV
6xBUFPiGKDyo5V3+Hbh4N9YSMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAGa9kS21N70ThM6/Hj9D7mbVxKLBjVWe2TPsGfbl3rEDfZ+OKRZ2j6AC
6r7jb4TZO3dzF2p6dgbrlU71Y/4K0TdzIjRj3cQ3KSm41JvUQ0hZ/c04iGDg/xWf
+pp58nfPAYwuerruPNWmlStWAXf0UTqRtg4hQDWBuUFDJTuWuuBvEXudz74eh/wK
sMwfu1HFvjy5Z0iMDU8PUDepjVolOCue9ashlS4EB5IECdSR2TItnAIiIwimx839
LdUdRudafMu5T5Xma182OC0/u/xRlEm+tvKGGmfFcN0piqVl8OrSPBgIlb+1IKJE
m/XriWr/Cq4h/JfB7NTsezVslgkBaoU=
-----END CERTIFICATE-----
"

 NOTE: When pasting the certificate command above in a terminal, it is important that the terminal is set to send linefeeds (LF) and not carriage returns (CR) at the end of each line.

When the certificate is loaded, a succes sis a result of 0:

+rsp,cacert:0

Additionally, load the device key and certificate. This will be unique for each device in your system, while the cacert is the same and references the server you are connecting to.

 

+set,privcert:"-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCR0Ix
FzAVBgNVBAgMDlVuaXRlZCBLaW5nZG9tMQ4wDAYDVQQHDAVEZXJieTESMBAGA1UE
CgwJTW9zcXVpdHRvMQswCQYDVQQLDAJDQTEWMBQGA1UEAwwNbW9zcXVpdHRvLm9y
ZzEfMB0GCSqGSIb3DQEJARYQcm9nZXJAYXRjaG9vLm9yZzAeFw0yNDEwMzExMjIx
MThaFw0yNTAxMjkxMjIxMThaMIGYMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmVi
cmFza2ExEDAOBgNVBAcMB0xpbmNvbG4xETAPBgNVBAoMCFNpZ25ldGlrMRQwEgYD
VQQLDAtFbmdpbmVlcmluZzEVMBMGA1UEAwwMU3RldmVQb3Vsc2VuMSQwIgYJKoZI
hvcNAQkBFhVzcG91bHNlbkBzaWduZXRpay5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDGN/e0yb0StZjO/2KSpLMbEtsIKoUuxvD6pSjfpV3R+7Y7
ZVipKWX633jt47q63uLIoA6X5zNjOMmo5Q/rxyI4G7lFWBJxNztXc05ajVHteeEd
ejWQXIp1F5sWX9CWiuTtv/24YYmsIz4BrA68NwCyDTZj0CAUxGYy/6kp07Pv9c7l
sMb1rU1P5mikvi78gDZBvrBOyyibshpRIU1iNynY3yt2ZP8k59rC7kDF4WQ/wN8T
f9iGVtZN6+X2kBctTd5Mf5L1psVqi8VYyQqx6N50fC7u49f20kpoqoxqDbWpBKaN
BH0i/2KS90vu5ek/YLlnHXhI4T7C1M2Nse0+rBLnAgMBAAGjGjAYMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBCwUAA4IBAQAKCc/NtFk1qnEy7wXw
PlBKEFN5nzfclxAQyp8lqOGOaAdoC7vIEXDozYqDCEGp8dyUldgr3pO9MyfxUI63
LNDJKf0buarjTo9/QvZwaaDN34Bmli86zWDqFfLQxwiC5Lxnn3QbKhtHtffIJMQw
DaMmPFA7gQmbmTvUnD0UU61xQQqaA5jQ8kjRjzkLErzOW2CACKAyTxmT4rDLNafV
yahICT/OVioaIysBGLvwhV2hwvxy4C4r+Ckat5adj5VspUcS7W5KTV07LkUuPPKE
DrjiMDcB06eqntIHPou79NuFAqqWZeD7eV6fOGoDGQb8DcvjiNOE2Vz57ZaMoFhU
WqdU
-----END CERTIFICATE-----
"

 

+set,privkey:"-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGN/e0yb0StZjO
/2KSpLMbEtsIKoUuxvD6pSjfpV3R+7Y7ZVipKWX633jt47q63uLIoA6X5zNjOMmo
5Q/rxyI4G7lFWBJxNztXc05ajVHteeEdejWQXIp1F5sWX9CWiuTtv/24YYmsIz4B
rA68NwCyDTZj0CAUxGYy/6kp07Pv9c7lsMb1rU1P5mikvi78gDZBvrBOyyibshpR
IU1iNynY3yt2ZP8k59rC7kDF4WQ/wN8Tf9iGVtZN6+X2kBctTd5Mf5L1psVqi8VY
yQqx6N50fC7u49f20kpoqoxqDbWpBKaNBH0i/2KS90vu5ek/YLlnHXhI4T7C1M2N
se0+rBLnAgMBAAECggEAXOLnQiHzZywQEphcoelqQPqiB36dcKErVdlFgSAmCfuR
lt3UIVlT/67vJVM9Msq1rVxL2mUukIWRAoNs5YkogPCE7njqE4HVXhKbmhV1Wfpu
Qnj9Vsv22g4Yz/BQd+tYgg0hIWEbub2+FdyB/zMrMUS9wyJJllG+rpFdvUsGnCBa
CWQ4CtFK2+YunBCMqGYyOZhp3cidrZ+wnYvYfnmDmOI/bFIGx6X6A3iOMV3c/xV2
1/ZrTWCeXPabyDiGyOqkfEIFx3ff3g9qJaPyjAE2nmWkO3B6ph8a5ULAwG0GbAqo
V0v36+us1Wru62AxNY/z/gIFY+rdG+UfueDUIgmUyQKBgQDmdu8Y3NQ1iVe5FMax
BQsJGproW9Hc7q49tbsAsGPehhd0gJGqmoEHK/W1jVe7jxf7F+yh34X+XDsrOVkO
x0fu80dx6D3yw47vqAIRP1wBHDfxnt52kSY/Zwimy2XmPFYO5+uP0j+qnC4cxlmq
KHQB/9viNs5mIKvg7T16oHwbkwKBgQDcLmK0+2uBUDKFbmn4NhGmfXwYQRv+XAnN
m+d8spveetW3WwsHb/qymfEnHf8D6tCJPoabiozCUxgYXjOD2yMj4aNpBPW6Xufk
vpa99rlsKBNFGPczWGdOWRpGFpNp89zT5XJtKYHnDVHFe7I+juAIeBYFJ1YISGGx
sV0Q1yPH3QKBgQCAxdXlU4azf1Fn1icLRGEdLiN+T8fcpfTwADpEMUssTEqQy0IZ
TIlqA3MghaCO6W6h24VaEXZiYRCin0GW01zrND4odHcgzYpxeLPnBTsYV7ceqAFv
yLzRUnXwFNiUJASGAaqKyxTN9MSDSYVSYZYog9lN9gev4vOHE6h1e3S9RwKBgQCv
NX44lIVk3qOFSGqtKKF9AggY6N7U1vq6EeDwetTMAqVEhf9NyM8PBq8+uIDw5g9R
116YMXV3QVZANd36hAv/hpNZg6fiyZjwjrU3rzi4F1/WMVqtEiEK2J6uvVJLEtJc
EA6xTUFg0lmKs7cQTvN56c1kBnxQlQCgvQnY18pSRQKBgHcasxz6B+sq8t7bZpJL
B3JRQmBDRqXeUucUWrS8w9onZOYS9S+rJ0emftLR0Dv63hlabFkmzlMcZizBu2Rf
/pOn1g0LG71tQsMvANgLThsEwFjdq7P/J3g3Z26f9UeC/Xhfd0rereiwJcYLktU9
AmOfu8+kmK3XRCsOi4ATj3ob
-----END PRIVATE KEY-----
"

 

At this point, since this is a one-time loading of certificates, you can reboot the system or send an AT command to turn the modem back on. The modem was set to CFUN=4 to load the certs and will not operate unless set back to 1.

+set,at:at+cfun=1

The response:

+rsp,at:OK

Now set the security tag to use for the connection. This tells the TLS layer to use the certificates loaded in slot 22. Setting sectag to 0 will tell the modem to NOT use any TLS.

+set,sectag:24

The response:

+rsp,sectag:24

From this point forward, we are simply performing a MQTT protocol connection on port 8884, which is what the test.mosquitto.org site states is the proper port for their server. Most servers will use 8883. The Following commands would also work on port 1883, if sectag is set to 0, and thus, with no TLS.

Set the mqtt protocol, device id, server address, server port, user, password, publish topic, and one or more subscribe topics.

The responses "+rsp" will be shown with each command below.

+set,devid:sigcell
+rsp,devid:sigcell
+set,server_address:test.mosquitto.org
+rsp,server_address:test.mosquitto.org
+set,server_port:8884
+rsp,server_port:8884
+set,user:
+rsp,user:
+set,pw:
+rsp,pw:
+set,pubtopic:test
+rsp,pubtopic:test
+set,subtopic1:test
+rsp,subtopic1:test
+set,proto:mqtt
+rsp,proto:mqtt

Enable the protocol

+set,enabled:1
+rsp,enabled:1

You should then see the connection process, with no disconnecting occuring thereafter.

+notify,event:coap,disconnecting:1
+notify,event:mqtt,init:1
+notify,event:mqtt,connecting:1,host:test.mosquitto.org,devid:dev_SigCell,user:,pw:
+notify,event:mqtt,connected:1
+notify,mqtt:sub,topic1:test

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk