Skip to content

Configuring Certificates in Coreflux Hub

This documentation outlines the steps to configure certificates for the broker in Coreflux Hub, enabling different levels of secure communication using TLS and mutual TLS (mTLS).

Overview

Secure communication in Coreflux Broker relies on certificates to ensure authentication and encryption. Here is a breakdown of the main components and their roles:

  • Server Certificate: This certificate authenticates the broker to clients. It ensures that clients are communicating with a legitimate server by proving the broker's identity.

  • Root CA Certificate: The root CA certificate acts as the "anchor of trust" in the chain of trust. It is used to validate both server and client certificates by confirming that they were issued by a trusted Certificate Authority.

  • Client Certificates: These certificates are presented by clients (optional, for mutual TLS). The broker validates client certificates to determine which clients can connect securely. By organizing client certificates into trusted and untrusted folders, the broker can allow or deny connections from specific clients.

  • TLS (Transport Layer Security): TLS ensures that the communication between the client and broker is encrypted and secure. In this setup, the server proves its identity to the client using its certificate, but the client is not required to authenticate itself to the broker.

  • Mutual TLS (mTLS): In mTLS, both the broker and the client validate each other’s certificates. This ensures a higher level of trust and security by requiring both parties to prove their identities during the handshake.

  • Certificate Revocation Lists (CRLs): CRLs allow you to block connections from specific clients by listing their revoked certificates. The broker checks this list to deny access to any certificate in the revocation list.

This guide walks through the process of configuring these certificates to enable TLS and mTLS communication in the broker, ensuring secure data transfer and client authentication.

Pre-Requisites

File Structure

Before starting the configuration, ensure the certificates are stored in the correct directories:

For Windows

  1. Navigate to the broker's directory (default location): 

    C:\Users\YourUser\AppData\Roaming\corefluxhub\YourBroker\

  2. Create the following folder structure:

  3. Certificates

    • Trusted Clients (Place client certificates that are allowed to connect here)
    • Untrusted Clients (Place client certificates to block connections here)

  4. Place the certificates in their respective locations:

  5. Server Certificate: Certificates\server.pfx
  6. Root CA Certificate: Certificates\rootCA.pem
  7. Trusted Client Certificates: Certificates\Trusted Clients
  8. Untrusted Client Certificates (optional): Certificates\Untrusted Clients

Certificate Files

  • ServerCertificatePath: Path to the server's .pfx file.
  • ServerCertificatePassword: Password used when generating the server's certificate.
  • RootCACertificatePath: Path to the rootCA.pem file.
  • ClientCertificateSourcePath: Path to the Trusted Clients directory.
  • ClientCertificateRevocationListPath (optional): Path to the Untrusted Clients directory.

Configuring Certificates in Coreflux Hub

Access the Broker

  1. Open Coreflux Hub and log in.
  2. Navigate to the Configuration section in the left menu
  3. Find the broker you want to configure and click the three dots button.
  4. Select Hub Config to open the broker configuration modal.

Input Certificate Paths

ServerCertificatePath

Enter the path to the server's .pfx file: 

C:\Users\YourUser\AppData\Roaming\corefluxhub\YourBroker\Certificates\server.pfx

ServerCertificatePassword

Provide the password used when generating the .pfx file.

RootCACertificatePath

Enter the path to the Root CA file: 

C:\Users\YourUser\AppData\Roaming\corefluxhub\YourBroker\Certificates\rootCA.pem

ClientCertificateSourcePath

Enter the path to the Trusted Clients directory: 

C:\Users\YourUser\AppData\Roaming\corefluxhub\YourBroker\Certificates\Trusted Clients

ClientCertificationValidation (optional for mTLS)

Check the checkbox to enable validation of client certificates on the server side.

ClientCertificateRevocationListPath (optional for blocking specific clients)

Enter the path to the Untrusted Clients directory: 

C:\Users\YourUser\AppData\Roaming\corefluxhub\YourBroker\Certificates\Untrusted Clients

Check the checkbox for CheckCertificateRevokationList to block connections from clients with certificates in this folder.

Save and Restart the Broker

  1. Click Save to apply the configuration.
  2. Restart the broker to activate the changes.

Example Use Cases

TLS (Server Authentication Only)

  • Configure ServerCertificatePath, ServerCertificatePassword, and RootCACertificatePath.
  • Do not enable ClientCertificationValidation.
  • The broker authenticates to the client, but no client authentication is performed.

mTLS (Mutual Authentication)

  • Configure all paths:
  • ServerCertificatePath, ServerCertificatePassword, and RootCACertificatePath.
  • ClientCertificateSourcePath for trusted clients
  • Check ClientCertificationValidation to require client-side certificate validation.
  • Optionally configure ClientCertificateRevocationListPath to block specific clients.

TLS with Specific Client Blocking

  • Configure the paths as above.
  • Add certificates for blocked clients in Untrusted Clients.
  • Enable CheckCertificateRevokationList.

Notes

  • Always store private keys securely on the client side; the broker only requires public certificates.
  • Restart the broker after any certificate configuration changes.

By following these steps, you can configure your Coreflux broker for secure TLS and mTLS communication.