Adding TLS certificates to Chirpstack

Hello, I’m new to this, so please excuse my stupid questions if I have some.

I’d like to know how exactly should I configure my TLS ceritficates. In chirpstack-certificates README is:

But in configuration file for NS these parameters occure more than once, to what part of NS should I add these paths?

And how do I know I installed TLS right?

Also I don’t see any as_public_id parameter here . Am I looking in the wrong place?

The TLS options appear multiple times because there are TLS configurations for various features of the NS. You should configure the options as required. Here are the areas to configure listed within the example chirpstack-network-server.toml file:

  • network_server.api: Network Server API (for Application Server to use)
  • network_server.gateway.backend: comms between gateway (bridge) ↔ network server
  • join_server.servers: for each join server, if you have multiple join servers.
  • join_server.default: for the default join server.
  • network_controller: for the network controller, if you have one.
  • roaming.api: for roaming API. I’m not sure how roaming works, but I guess you would only need it if your devices can roam between networks.
  • roaming.servers: similar to roaming.default, but per-server.
  • roaming.default: for the default roaming server.

“network_server.gateway” appears to have options for automatically generating certificates for gateway (bridges?).

The join server handles joining and this appears to be part of the application server module.

Of course, we are only talking about what to configure within the NS itself. Do remember to configure TLS in the other components too, such as the Application Server (AS) and Gateway Bridge (GWB). If you want to enable TLS for the backend comms like MQTT, I suppose this means you need to configure TLS for the MQTT broker as well.

I cannot find anything about this option either. It is vaguely mentioned a few times in old posts and also as a command-line option (as-public-id), but there is nothing in the documentation.

I think @brocaar would be better to comment on what this should be (or was).

Thank you so much for the explanation!