Upload Certificate Authority

Member Posts: 10

Hi everyone :),
I've been searching in the documentation and in the community forums for a while but I did not find the answers I need.
I would like to enable TLS both on my PubSub+ Cloud service and on my PubSub+ broker running in a Docker container.
What I got so far is that I need to upload a server certificate on my broker (both on the cloud instance and on the Docker one, I think). So I generated an autosigned certificate on my machine and I tried to add it to the cloud instance (Cluster Manager -> Manage -> Certificate Authority), but it responds with an "Invalid certificate" error. Maybe the problem is my autosigned certificate and I need to find another way to create one.
Speaking about the broker running on my machine, I managed to connect via ssh to the broker CLI, but still, I don't know how to upload the certificate.
I am sorry if these sound like dummy questions, but I am still new to the subject. Any help would be really helpful and, please, be patient :D
Thank you!

Tagged:

Welcome!

It looks like you're new here. Sign in or register to get started.

Comments

  • Member, Employee Posts: 130 Solace Employee

    Hi ludobar,
    "How to upload the certificate to your local broker":
    Step 1: Upload the file itself. This is described here: https://solace.community/discussion/316/how-to-copy-files-to-from-a-solace-broke.
    The cert has to be copied to /usr/sw/jail/certs/ (inside the docker container).
    Step 2: Configure the certificate:
    enable configure ssl server-certificate <filename-of-your-cert>
    "How to upload the certificate to your cloud broker":
    You can't do that. cloud brokers have a pre-defined server certificate.
    If you want to see details about that:
    openssl s_client -connect <IP-or_name-for-your-cloud-broker> 55443

    Feel free to ask again, if something is unclear.

  • Member, Employee Posts: 80 Solace Employee

    The pitfall with setting the server certificate as described by @uherbst is that the file uploaded needs to contain both certificate and private key, concatenated. Both in PEM format.
    There was a recent discussion, I think this may help:
    https://solace.community/discussion/comment/1243

  • Member Posts: 10

    @swenhelge said:
    The pitfall with setting the server certificate as described by @uherbst is that the file uploaded needs to contain both certificate and private key, concatenated. Both in PEM format.
    There was a recent discussion, I think this may help:
    https://solace.community/discussion/comment/1243

    Thank you, I set the server certificate and it seems to have accepted it!

  • Member Posts: 10

    @uherbst said:
    Hi ludobar,
    "How to upload the certificate to your local broker":
    Step 1: Upload the file itself. This is described here: https://solace.community/discussion/316/how-to-copy-files-to-from-a-solace-broke.
    The cert has to be copied to /usr/sw/jail/certs/ (inside the docker container).
    Step 2: Configure the certificate:
    enable configure ssl server-certificate <filename-of-your-cert>
    "How to upload the certificate to your cloud broker":
    You can't do that. cloud brokers have a pre-defined server certificate.
    If you want to see details about that:
    openssl s_client -connect <IP-or_name-for-your-cloud-broker> 55443

    Feel free to ask again, if something is unclear.

    Thank you!
    About the cloud broker, do I have to download the PEM certificate provided on "connect -> solace Messaging" and add it to my trustsore?
    I need to enable TLS/SSL encryption to connect to the cloud on port 8883 via MQTT.

  • Member, Employee Posts: 80 Solace Employee
    edited October 2020 #6

    The cloud broker has the MQTTS port 8883 enabled by default. A MQTT client library typically requires a trust store or trusted CA and that is what you would use the PEM file for that you can download from the cloud console

Welcome!

It looks like you're new here. Sign in or register to get started.