Setting up the PKI infrastructure

How to setup the PKI infrastructure for MQTT in the United Manufacturing Hub

2 minute read

Introduction

Public Key Infrastructure (PKI) is a system used to securely exchange data over the internet. It uses a combination of public and private keys to encrypt and decrypt data, ensuring that only authorized parties can access the information. Setting up a PKI infrastructure can be useful for securing communication in a production environment, such as between MQTT servers and client devices. This article provides instructions for setting up a PKI infrastructure for MQTT and the United Manufacturing Hub on an Ubuntu system. It also includes instructions for adding new clients to the infrastructure.

Prerequisites

Ubuntu operating system (installed in a virtual machine, as WSL, or in a Docker container)
Basic knowledge of public key infrastructure (PKI). We recommend reading our article first.

Instructions

Install easy-rsa by running the following command:
```
sudo apt-get install easy-rsa
```
Create a new directory and navigate to it:
```
mkdir ~/UMH_PKI/ && cd ~/UMH_PKI/
```
Enable batch mode of easy-rsa
```
export EASYRSA_BATCH=1
```
Set up the basic PKI infrastructure
```
/usr/share/easy-rsa/easyrsa init-pki
```
Copy the default configuration file and edit it to your liking:

Adjust the values for EASYRSA_REQ_… and the CA and certificate validity as needed.

```bash
cp /usr/share/easy-rsa/vars.example pki/vars
```

Build the Certificate Authority (CA):
```
export EASYRSA_REQ_CN=YOUR_CA_NAME
/usr/share/easy-rsa/easyrsa build-ca nopass
```
Replace YOUR_CA_NAME with a name for your CA, such as UMH CA.

Create the server certificate: Replace mqtt.umh.appwith your domain name.

/usr/share/easy-rsa/easyrsa gen-req mqtt.umh.app nopass
/usr/share/easy-rsa/easyrsa sign-req server mqtt.umh.app

If you need to generate a certificate for an IP address instead of a domain name, use the following commands instead (replace 0.0.0.0 with your IP address):
```
/usr/share/easy-rsa/easyrsa --subject-alt-name="IP:0.0.0.0" gen-req 0.0.0.0 nopass
/usr/share/easy-rsa/easyrsa sign-req server 0.0.0.0
```
Copy the private key pki/private/mqtt.umh.app.key, the public certificate pki/issued/mqtt.umh.app.crt, and the root CA pki/ca.crt to the MQTT broker’s configuration.

Adding New Clients

To add new clients, run the following commands (remember to replace TESTING with the planned MQTT client ID):

export EASYRSA_REQ_CN=TESTING
/usr/share/easy-rsa/easyrsa gen-req $EASYRSA_REQ_CN nopass
/usr/share/easy-rsa/easyrsa sign-req client $EASYRSA_REQ_CN nopass

This will create a new client certificate and key. Copy the ca.crt and client.crt files to the client device and keep the client.key sudo apt-get install easy-rsafile in a secure location. The PKI infrastructure is now set up and ready to use for secure communication between the MQTT server and client devices.

Last modified February 17, 2023: update (#208) (ea731fc)