Generating and Setting Up a Certificate for Coreflux's MQTT Broker

Ensuring encrypted communication is pivotal for any IoT platform. This guide will walk you through the process of generating and setting up a certificate for the Coreflux MQTT Broker to ensure secure, encrypted communication.

Why Certificates?

Certificates play a crucial role in enhancing the security. They serve two primary purposes:

Authentication: Certificates help in verifying the identity of a website or service. When a user connects to a website with an SSL certificate, the user can be sure they're connecting to the intended server and not a malicious one.
Encryption: Certificates enable encrypted communication between the user's browser and the server. This ensures that any data exchanged remains confidential and safe from eavesdroppers.

While certificates issued by a Certificate Authority (CA) are ideal for production environments due to the trust factor, self-signed certificates can be useful for testing, development, and internal use. However, it's essential to understand that self-signed certificates will not be inherently trusted by clients and browsers, and additional configuration or exceptions might be needed to use them.

Self-Signed Certificate on Windows using OpenSSL

CyberSecurity Note

Just like with OpenSSL-generated certificates, self-signed certificates created using PowerShell won't be trusted by default on most systems. You might encounter warnings when using them in browsers or other systems that check for certificate trust. For development and testing purposes, you can manually trust the certificate on your system or configure your application to trust it. For production environments, it's recommended to use certificates issued by a trusted Certificate Authority (CA).

OpenSSL installed on your Windows machine. If you haven't installed it yet, you can download it from here.
Open a Command Prompt as Administrator:
- Search for "cmd" in the Windows search bar.
- Right-click on "Command Prompt" and select "Run as administrator."
Navigate to the OpenSSL's bin directory:
```
cd C:\path\to\OpenSSL\bin\
```
Generate a new private key: This key is the foundation for your certificate and ensures secure communication.
```
openssl genpkey -algorithm RSA -out privatekey.pem
```
Generate a self-signed certificate: This command will create a certificate based on the private key. You'll be prompted to enter details for the certificate, such as country, state, organization name, etc. Fill them in as appropriate.
```
openssl req -new -x509 -key privatekey.pem -out certificate.pem -days 365
```
(Optional) Combine the private key and certificate into a single .pfx file: A .pfx file is useful for systems or applications that require the certificate and private key to be bundled in a single file.
```
openssl pkcs12 -export -in certificate.pem -inkey privatekey.pem -out certificate.pfx
```
You'll be prompted to set a password for the .pfx file. Remember this password, as you'll need it when configuring systems or services that use this certificate.

Self-Signed Certificate using PowerShell

Open PowerShell as Administrator:
- Search for "PowerShell" in the Windows search bar.
- Right-click on "Windows PowerShell" and select "Run as administrator."
Create a Self-Signed Certificate: Use the New-SelfSignedCertificate cmdlet to create a self-signed certificate. The following command creates a certificate for the local machine in the Personal store:
```
New-SelfSignedCertificate -DnsName "yourdomain.com" -CertStoreLocation "cert:\LocalMachine\My"
```
Export the Certificate and Private Key: If you need to export the certificate and its private key (e.g., for backup or to use on another machine), you can do so using the Certificate Manager (certmgr.msc) or PowerShell.
- Using Certificate Manager:
- Press Win + R, type certmgr.msc, and press Enter.
- Navigate to "Personal" > "Certificates".
- Find the certificate you just created (it should be listed under the name "yourdomain.com" or similar).
- Right-click on the certificate, select "All Tasks", then "Export".
- Follow the export wizard. When prompted, choose to export the private key and select the .PFX format.
- Using PowerShell:
```
$pwd = ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\LocalMachine\My\<Thumbprint>" -FilePath "path\to\export\certificate.pfx" -Password $pwd
```
  Replace <Thumbprint> with the thumbprint of the certificate you just created and "path\to\export\certificate.pfx" with your desired export path.

Self-Signed Certificate On Linux

Open a terminal.
Navigate to a directory where you want to generate the certificate:
```
cd /path/to/directory/
```

Generate a new private key:

openssl genpkey -algorithm RSA -out privatekey.pem

Generate a self-signed certificate:
```
openssl req -new -x509 -key privatekey.pem -out certificate.pem -days 365
```
During this step, you'll be prompted to enter details for the certificate, such as country, state, organization name, etc. Fill them in as appropriate.
(Optional) Combine the private key and certificate into a single .pfx file:
```
openssl pkcs12 -export -in certificate.pem -inkey privatekey.pem -out certificate.pfx
```
You'll be prompted to set a password for the .pfx file. Remember this password, especially if you intend to use it for configurations like the MQTT Broker.

Remember, self-signed certificates are not trusted by default on most systems. They are suitable for testing and development environments but for production, it's recommended to use certificates issued by a trusted Certificate Authority (CA).

Setting Up the Certificate in Coreflux's

Update the MQTT Broker Configuration

Edit the configuration JSON to include the path to your certificate and its password:

Linux

{
  ...
  "CertificatePath": "/directory/of/your/choice/certificate.pfx",  
  "CertificatePassword": "YourCertificatePassword",
  ...
}

Windows

{
  ...
  "CertificatePath": "C:\\directory\\of\\your\\choice\\certificate.pfx",  
  "CertificatePassword": "YourCertificatePassword",
  ...
}

Restart the MQTT Broker

After updating the configuration, you need to restart the Coreflux Central to apply the changes.

Linux

Reminder for Restarting Coreflux Service

Please note that the commands provided assume the default service name is "CorefluxCentral". If you have customized your Coreflux installation or if you are managing multiple instances, the service name may differ. Ensure you replace "CorefluxCentral" with the actual name of your service when executing the commands.

If you installed Coreflux using the direct method, simply stop the running instance and start it again:
```
./CorefluxCentral
```
or
```
sudo ./CorefluxCentral
```
If you set up Coreflux manually using systemd:
```
sudo systemctl restart corefluxcentral
```

Windows

If you installed Coreflux using the direct method, open a Command Prompt as an administrator and navigate to the directory where CorefluxCentral is located, then simply stop the running instance and start it again:
```
CorefluxCentral
```

If you set up Coreflux manually as a Windows service:

sc stop CorefluxCentral
sc start CorefluxCentral

Connect to the MQTT Broker using a MQTT client that supports encrypted communication. Ensure that the client is configured to use the TLS port specified in the broker's configuration.

With the self-signed certificate in place, the Coreflux MQTT Broker will now handle encrypted communication, enhancing the security of data in transit. Remember, self-signed certificates are great for testing and internal use, but for production environments, it's recommended to use certificates from trusted Certificate Authorities. Always ensure to renew your certificates before they expire and keep them secure to maintain the integrity and confidentiality of your IoT communications. With this you are able to prepare connection with the web using for instance Websockets.