How to generate a .crt file for a TLS protected broker on windows?

I was reading thru some other threads however I keep getting lost in what exaclty I am supposed to do.

I have a broker with an address, TLS protection on port 8883, a user name and password with HiveMQ.
I have an device using C# asking for a X509 .crt file expecting TLSv1_2

How do I make this file? Topics seem to say that I need to use openSSL, so I managed to find a compiled version of 3.1.1 to use. Ran it in CMD Prompt(I use windows) and used:

openssl s_client -connect (myaddress) -showcerts

I collected the 3 certificates into a notepad file in order to make a perm file. But how does this get me a .crt?

Hello, @aaronbradford

Welcome to the HiveMQ community!

It looks like, based on the address you’ve provided, that you are currently using a Cloud instance. Typically, with the cloud instance, the server CA file can be utilized for TLS connectivity, and is available through our FAQ post here.

Could you provide which MQTT client you are looking to use? These clients typically provide documentation for different variations of TLS implementation, including server .pem files.

Aaron from the HiveMQ Team

I aquired this broker with TLS protection from hive. I created and account onto it and was able to use the hive client to test it out.

Now I want to attempt contacting it with a real device. This device is a X2 Extreme 7 Inch HMI from Beijer. Its essentially a Windows CE machine running C# on .NET 4. The script they provided includes a snippet like this:

// The below overload has to be used for X2 series devices with .Net compact framework when using a certificate
				byte[] certBytes = ReadFileToByteArray(@"C:\Users\310208195\root.crt");
				X509Certificate certificate = new X509Certificate(certBytes);
				mqttClient = new MqttClient(sMqttBroker, 8883, true, certificate, certificate, MqttSslProtocols.TLSv1_2);

So my assumption is I need a certificate file installed onto it in order to contact this cloud instance. Generating this file hasnt made alot of sense to me. There wont really be any other documentation for this device so I am running by the assumption that I must provide the .crt file in order to authenticate.

Hello @aaronbradford ,

First off, to answer your initial question, to convert the .pem to a .crt, OpenSSL can be used. We can obtain the .pem from the FAQ post mentioned previously, and use the following command with OpenSSL from the directory that contains the downloaded .pem certificate to obtain a .crt output :

openssl x509 -outform der -in isrgrootx1.pem -out certificate.crt

That said, without additional documentation, I’m unsure as to what is required for the MQTT client connection, as we don’t have a definition for what is required for the mqttClient class, nor what the connection packets look like. If possible, the full script, or the libraries included in the script may provide some insight into how these MQTT requests are being formed. With the information provided, we essentially only know at this time that an mqttClient object can be created with the properties of broker, port, a binary value, certificates, and TLS version. We do not know how a connection request is sent.

Additionally, we do offer a C# client, currently in beta, that may be helpful if you are looking to get a C# device connected to MQTT, available here.

Aaron from HiveMQ Team

Thank you! Ill give that command a shot.

Unfortunately I wont be able to use that beta version as I cannot change the Net environment version on this device. Its using a assembly called M2Mqtt.NetCf35.dll that came from beijer to create this client. It tested fine on mosquitto but hasnt been proven yet on anything live.
Resources are here:
That page has a pdf explaining how to use the library SER0052_QS_iX_MQTT_Client_V1.0.0-EN.pdf
I am still in the testing phase of this so we will see if thats all I need or if a lower version of MQTT is required to use this library. Appreciate the help tho!

Hello @aaronbradford ,

Sounds like a plan - thank you for the additional feedback, and those resources. Please do let us know if you are able to successfully connect once you have time to test, and welcome again to HiveMQ!

Aaron from HiveMQ Team