How to use mqtt integration after generating all three client certificates on the application

Hello @brocaar,

I have successfully generated three of client certificated for a particular application which are CA certificate, Tls certificate and TLS key,.

Now my question is where & how can I use these generated certificates.

I have no clarity what to do next after generating these certificated over chirpstack application server’s application.

Thank you so much

@brocaar Please suggest.

I have opened port 8883 on my server and edited listener for mqtt tls, still I’m not able to use mqtt integration. Please help I’m stuck.

The exact steps depend on your setup, but this should give you some hints:

The CA certificate that you generated will be used to sign the server and client-certificates. You need to configure this CA certificate + key in the chirpstack-network-server.toml configuration:

  # Gateway settings.
  [network_server.gateway]
  # CA certificate and key file (optional).
  #
  # When setting the CA certificate and key file options, ChirpStack Network Server
  # will generate client certificates which can be used by the gateway for
  # authentication and authorization. The Common Name of the certificate will
  # be set to the Gateway ID.
  ca_cert=""
  ca_key=""

Then you generate a server-certificate and sign this server-certificate with the CA. This server-certificate will be used by the MQTT broker (e.g. Mosquitto). In the MQTT broker you configure the CA certificate, server certificate + key.

As well you change your MQTT broker configuration that it requires a client-certificate from clients connecting to it and that it must use the CN from the client-certificate as username. You probably want to setup an ACL to make sure that clients can only connect to their own topics. For example gateway/%u/# and application/%u/# (in this case the %u would be automatically replaced by the value of the CN field in the client-certificate).

Once you generate the client-certificate within the ChirpStack web-interface, you configure the CA, client-certificate + key in the chirpstack-gateway-bridge.toml file.

2 Likes