Hi Hans,
Thanks for your interest in MQTT and HiveMQ. Could you please clarify whether you have your own HiveMQ broker set up or you are using HiveMQ Cloud broker account?
In case if it is HiveMQ cloud broker, you can retrieve the server CA file as described in here: Frequently Asked Questions.
In case if you are running your own HiveMQ MQTT Broker, you might find useful our blog article Setting up TLS for your cloud-based MQTT broker.
Keytool is a certificate management utility included with Java . It allows users to create a single store, called a keystore, that can hold multiple certificates within it. This file can then be assigned or installed to a server and used for SSL/TLS connections.
For generating all certificates described in the blog article that I have suggested above, we have prepared a helpful shell script. You can use it as a reference or save it to a file certly.sh and run it with bash:
#!/bin/bash
defaultPass="changeme"
hostname="hivemq"
#hostname input
read -p "please input the hostname of the broker: (default [$hostname]): " hostnameInput
hostname=${hostnameInput:-$hostname} # set the default Password (if user skip this entry)
echo "the hostname is: $hostname"
#password input
read -p "please input the password you wish to use: (default [$defaultPass]): " passInput
defaultPass=${passInput:-$defaultPass} # set the default Password (if user skip this entry)
echo "the password is: $defaultPass"
#default file names and passwords
brokerCertName="server"
brokerKeystoreName="broker-keystore"
brokerKeystorePass=$defaultPass
brokerTruststoreName="broker-truststore"
brokerTruststorePass=$defaultPass
clientCertName="client-cert"
clientKeyName="client-key"
clientKeyPass=$defaultPass
clientKeystoreName="client-keystore"
clientKeystorePass=$defaultPass
clientName="client"
clientTruststoreName="client-truststore"
clientTruststorePass=$defaultPass
#check the time
time1=$(date +%s)
#crate output directory
outDirName="certs_$time1"
mkdir $outDirName
#goto output directory
pushd $outDirName
#create new broker .jks keystore
keytool -genkey -keyalg RSA -alias "hivemq" -keystore $brokerKeystoreName.jks -storepass $brokerKeystorePass -validity 360 -keysize 2048 -dname "CN=$hostname"
#export broker's cert .pem from the keystore
keytool -exportcert -alias "hivemq" -keystore $brokerKeystoreName.jks -rfc -file $brokerCertName.pem -storepass $brokerKeystorePass
#convert broker .pem certificate to .crt
openssl x509 -outform der -in $brokerCertName.pem -out $brokerCertName.crt
#import broker cert. into new client truststore
printf "yes\n" |keytool -import -file $brokerCertName.crt -alias "client" -keystore $clientTruststoreName.jks -storepass $clientTruststorePass
#generate .pem based client certificate and convert to .crt
openssl req -x509 -newkey rsa:2048 -keyout $clientKeyName.pem -out $clientCertName.pem -days 360 -passout pass:$clientKeyPass -subj "/CN=$clientName"
openssl x509 -outform der -in $clientCertName.pem -out $clientCertName.crt
#import client-cert into the broker's truststore
printf "yes\n" |keytool -import -file $clientCertName.crt -alias "client" -keystore $brokerTruststoreName.jks -storepass $brokerTruststorePass
#create client P12 keystore
openssl pkcs12 -export -in $clientCertName.pem -inkey $clientKeyName.pem -certfile $clientCertName.pem -out $clientKeystoreName.p12 -passin pass:$clientKeyPass -passout pass:$clientKeystorePass;
#convert client P12 keystore to JKS keystore
keytool -importkeystore -srckeystore $clientKeystoreName.p12 -srcstoretype pkcs12 -destkeystore $clientKeystoreName.jks -deststoretype JKS -storepass $clientKeystorePass -srcstorepass $clientKeystorePass 2>/dev/null;
#restore original directory
popd
echo "$outDirName"
If at any point you require further help please do not hesitate and ask. Feel free to share your code and the text of error messages, if any error arises.
Kind regards,
Dasha from HiveMQ Team