In order to encrypt your device to a cloud connection, you have to use an encrypted connection. You can connect to an MQTT broker using an unsecured connection where your credentials and data can be easily exposed to unwanted entities. IoTaaP and some other platforms and IoT devices are using secure MQTT(S) connections. Certificates can be provided by some entity or generated by the system and then deployed to the server and device. The same principle is also applicable for so-called OTA (Over The Air) updates, where a new firmware version is delivered over a secured network connection.

We will use OpenSSL to create our certificates. We have to connect to our server using SSH and first, we have to generate our Root CA key, it will be 2048 bits long and it’s generated using the following line:

Next, we will use the previously generated key to build our Root certificate using the following line, it will be valid for 730 days (2 years). The root certificate can be generated using the following line:

After running this command you will be asked to enter some important data in order to generate a certificate, we will do it in the following way:

• Country: Your 2 letter country code
• State: Your state
• City: empty (press ENTER)
• Company: Your company name or something similar
• Unit: empty
• FQDN: mqtt.<your-domain> (it’s important to use your real domain in order to make these certificates work)
• Email: empty

In the case of using some Certificate Authority (CA), this step is done by them, but since we are creating our own certificates, we will act as CA. Next, for every server or a client, we have to generate a separate key and then request the certificate from CA using CSR (Certificate Signing Request). This process is pretty much similar to the process when we were generating the key in order to be able to access our DigitalOcean instance.

First, we have to generate our MQTT server certificate key using the following line:

Next, we have to create a certificate signing  request (CSR) for our server from our Certificate Authority (CA) by using the following line:

After running this command you will be asked to enter similar data as before, just be sure to use your real domain in the FQDN field, additionally, you will be asked to enter a challenge password and optional company name, but you can just press ENTER.

Finally, we will issue a certificate for our server that will also be valid for 2 years, this will be done using the following line:

After running this command, if everything is fine, the system will confirm that signature is fine, list some details, and generate a server certificate!

Note that OpenSSL will generate an additional file CloudRootCA.srl where it will store your certificate’s unique serial numbers.

We can use the same procedure as we used for generating server certificates in order to generate one for our hardware device, just start by generating a new “device key”, proceed with generating CSR and finally issue the certificate for your hardware device!

This whole procedure is completely automated by the IoTaaP Cloud system, and the only thing you have to do is to add the final certificate to your IoT device, everything else will be handled by IoTaaP.