For setup hivemq in my own server

chandan123456 · January 22, 2025, 4:30pm

Hi Team,
I have installed HiveMQ and completed all the steps for normal TCP communication successfully. However, I need to set up TLS with a CA-signed certificate instead of a self-signed certificate. Could you please guide me on how to do this?

Daria_H · February 19, 2025, 11:16am

Hi @chandan123456

Setting up HiveMQ with TLS using a CA-signed certificate involves the following steps:

1. Obtain a CA-Signed Certificate

You have two options:

Purchase a certificate from a trusted Certificate Authority (CA) like DigiCert, GlobalSign, or Let’s Encrypt.
Generate a CSR (Certificate Signing Request) and submit it to a CA to get a signed certificate.

Generate a CSR and Private Key

If you don’t have a CA-signed certificate yet, generate one using OpenSSL:

openssl req -new -newkey rsa:2048 -nodes -keyout hivemq.key -out hivemq.csr -subj "/CN=mqtt.example.com/O=YourCompany/C=US"

Submit the hivemq.csr file to a CA. Once approved, you will receive:

A signed certificate (hivemq.crt)
A CA bundle (ca-bundle.crt) containing the intermediate and root CA certificates

2. Convert Certificate to PKCS12 (Optional)

HiveMQ supports JKS and PKCS12 keystores. If your CA provides a certificate in PEM format (.crt), convert it to PKCS12:

openssl pkcs12 -export -in hivemq.crt -inkey hivemq.key -certfile ca-bundle.crt -out hivemq.p12 -name hivemq -password pass:YourKeystorePassword

3. Create a Java Keystore (JKS)

If you want to use a Java KeyStore (JKS) instead of PKCS12, import the certificate into a keystore:

keytool -importkeystore -srckeystore hivemq.p12 -destkeystore hivemq.jks -srcstoretype PKCS12 -deststoretype JKS -deststorepass YourKeystorePassword

Verify the keystore:

keytool -list -keystore hivemq.jks -storepass YourKeystorePassword

4. Configure HiveMQ to Use the TLS Certificate

Edit conf/config.xml in HiveMQ and update the TLS section:

<tls>
    <enabled>true</enabled>
    <keystore>
        <path>hivemq.jks</path>
        <password>YourKeystorePassword</password>
        <private-key-password>YourKeystorePassword</private-key-password>
    </keystore>
    <truststore>
        <path>truststore.jks</path>
        <password>YourTruststorePassword</password>
    </truststore>
    <port>8883</port> <!-- MQTT over TLS -->
</tls>

Make sure you copy hivemq.jks and truststore.jks to the correct HiveMQ directory.

5. Restart HiveMQ

After configuring TLS, restart HiveMQ to apply the changes.

6. Test the TLS Connection

Use openssl to test if HiveMQ is listening on port 8883:

openssl s_client -connect mqtt.example.com:8883 -CAfile ca-bundle.crt

If successful, your CA-signed certificate setup is working.

7. Configure MQTT Clients

Ensure your MQTT clients are configured to use port 8883 and the CA certificate for verification.

For MQTT CLI, use:

mqtt pub -h mqtt.example.com -p 8883 --cafile ca-bundle.crt -t test/topic -m "Hello TLS"

This should set up HiveMQ with CA-signed TLS authentication. Let me know if you need more details

Best,
Dasha from The HiveMQ Team

Topic		Replies	Views
Help regarding TLS configuration hivemq docker container HiveMQ Community Edition	1	1979	April 6, 2020
Connection issue: CA certificate	3	647	July 20, 2023
TLS setup without Keystore MQTT	3	1158	November 2, 2022
Can't create ssl successfully, i need help	3	529	September 9, 2023
TLS certificates	20	18118	July 11, 2022