Upload Certificate Authority

ludobar
ludobar Member Posts: 10

Hi everyone :),
I've been searching in the documentation and in the community forums for a while but I did not find the answers I need.
I would like to enable TLS both on my PubSub+ Cloud service and on my PubSub+ broker running in a Docker container.
What I got so far is that I need to upload a server certificate on my broker (both on the cloud instance and on the Docker one, I think). So I generated an autosigned certificate on my machine and I tried to add it to the cloud instance (Cluster Manager -> Manage -> Certificate Authority), but it responds with an "Invalid certificate" error. Maybe the problem is my autosigned certificate and I need to find another way to create one.
Speaking about the broker running on my machine, I managed to connect via ssh to the broker CLI, but still, I don't know how to upload the certificate.
I am sorry if these sound like dummy questions, but I am still new to the subject. Any help would be really helpful and, please, be patient :D
Thank you!

Tagged:

Comments

  • uherbst
    uherbst Member, Employee Posts: 121 Solace Employee

    Hi ludobar,
    "How to upload the certificate to your local broker":
    Step 1: Upload the file itself. This is described here: https://solace.community/discussion/316/how-to-copy-files-to-from-a-solace-broke.
    The cert has to be copied to /usr/sw/jail/certs/ (inside the docker container).
    Step 2: Configure the certificate:
    enable configure ssl server-certificate <filename-of-your-cert>
    "How to upload the certificate to your cloud broker":
    You can't do that. cloud brokers have a pre-defined server certificate.
    If you want to see details about that:
    openssl s_client -connect <IP-or_name-for-your-cloud-broker> 55443

    Feel free to ask again, if something is unclear.

  • swenhelge
    swenhelge Member, Employee Posts: 77 Solace Employee

    The pitfall with setting the server certificate as described by @uherbst is that the file uploaded needs to contain both certificate and private key, concatenated. Both in PEM format.
    There was a recent discussion, I think this may help:
    https://solace.community/discussion/comment/1243

  • ludobar
    ludobar Member Posts: 10

    @swenhelge said:
    The pitfall with setting the server certificate as described by @uherbst is that the file uploaded needs to contain both certificate and private key, concatenated. Both in PEM format.
    There was a recent discussion, I think this may help:
    https://solace.community/discussion/comment/1243

    Thank you, I set the server certificate and it seems to have accepted it!

  • ludobar
    ludobar Member Posts: 10

    @uherbst said:
    Hi ludobar,
    "How to upload the certificate to your local broker":
    Step 1: Upload the file itself. This is described here: https://solace.community/discussion/316/how-to-copy-files-to-from-a-solace-broke.
    The cert has to be copied to /usr/sw/jail/certs/ (inside the docker container).
    Step 2: Configure the certificate:
    enable configure ssl server-certificate <filename-of-your-cert>
    "How to upload the certificate to your cloud broker":
    You can't do that. cloud brokers have a pre-defined server certificate.
    If you want to see details about that:
    openssl s_client -connect <IP-or_name-for-your-cloud-broker> 55443

    Feel free to ask again, if something is unclear.

    Thank you!
    About the cloud broker, do I have to download the PEM certificate provided on "connect -> solace Messaging" and add it to my trustsore?
    I need to enable TLS/SSL encryption to connect to the cloud on port 8883 via MQTT.

  • swenhelge
    swenhelge Member, Employee Posts: 77 Solace Employee
    edited October 2020 #6

    The cloud broker has the MQTTS port 8883 enabled by default. A MQTT client library typically requires a trust store or trusted CA and that is what you would use the PEM file for that you can download from the cloud console