MQTT TLS Client Certificate Create/Generate

How does HiveMQ generate client certificates for IoT devices? is there a self service GUI portal? can it be automated such that devices can be provisioned during an onboarding process to receive their certificate in an automated method?

or is it manual with openssl, saved and manually imported to the devices?

Hi @fvfrenzy,

Thank you for your patience.
HiveMQ’s certificate management is based around Key- and Truststores that are manually filled with your server, and or client certificates.
You can follow the the HowTos in our use guide.

Kind regards,
Florian from the HiveMQ Team.


I need to generate this files …

is possible in a free version???

kind regards

Hi @splata,

HiveMQ cloud basic does not support mutual TLS so you do not need the files “Certificate” and “Private Key”
You can create the Server Certificate file using the OpenSSL s_client openssl s_client -connect -showcerts < /dev/null 2> /dev/null | sed -n '/BEGIN/,/END/p' > server.pem
This will create a file called “server.pem”, which you can use as “Server Certiciate”.
I took the liberty and created the file for your specific cloud deployment.

Kind regards,
Florian from the HiveMQ Team.

hello Faschbi.

we use the command that you send but we did need to create other server.pem because in the test we erase de server 4ad85… the result is the same .

i think that my device needs the other files (deviceWise of telit).i did try to upgrade the cluster to standar version to look if i have more options to change this configuration with TLS but support have issues with the purchase

Hi @splata,

You can create client certificates by running

openssl req -x509 -newkey rsa:2048 -keyout mqtt-client-key.pem -out mqtt-client-cert.pem -days 360

It looks like you are trying to connect to HiveMQ cloud, using an IP address. This will not work.
You need to use the fully qualified domain name as shown in the previous screenshot.

PS: This functionality is the same for HiveMQ basic and standard.


hello Florence.

sorry for delay, the IP Address in the last picture it was a test, we did try of some ways.
copy and paste the Address from the cluster console.

doing ping to the address for obtain the ip address like the last image.

We try with ignitionGateway and edge and it works , i think that the error is in the devicewise software.

im going to report that with Telit because with other systems it works.


here is the addres of the cluster console