Upload Certificate Authority

ludobar · October 14, 2020, 7:50am

Hi everyone :),
I’ve been searching in the documentation and in the community forums for a while but I did not find the answers I need.
I would like to enable TLS both on my PubSub+ Cloud service and on my PubSub+ broker running in a Docker container.
What I got so far is that I need to upload a server certificate on my broker (both on the cloud instance and on the Docker one, I think). So I generated an autosigned certificate on my machine and I tried to add it to the cloud instance (Cluster Manager → Manage → Certificate Authority), but it responds with an “Invalid certificate” error. Maybe the problem is my autosigned certificate and I need to find another way to create one.
Speaking about the broker running on my machine, I managed to connect via ssh to the broker CLI, but still, I don’t know how to upload the certificate.
I am sorry if these sound like dummy questions, but I am still new to the subject. Any help would be really helpful and, please, be patient
Thank you!

uherbst · October 14, 2020, 8:02am

Hi ludobar,
“How to upload the certificate to your local broker”:
Step 1: Upload the file itself. This is described here: How to copy files to/from a Solace broker — Solace Community.
The cert has to be copied to /usr/sw/jail/certs/ (inside the docker container).
Step 2: Configure the certificate:
enable configure ssl server-certificate <filename-of-your-cert>
“How to upload the certificate to your cloud broker”:
You can’t do that. cloud brokers have a pre-defined server certificate.
If you want to see details about that:
openssl s_client -connect <IP-or_name-for-your-cloud-broker> 55443

Feel free to ask again, if something is unclear.

swenhelge · October 14, 2020, 8:47am

The pitfall with setting the server certificate as described by @uherbst is that the file uploaded needs to contain both certificate and private key, concatenated. Both in PEM format.
There was a recent discussion, I think this may help:

ludobar · October 14, 2020, 11:27am

Thank you, I set the server certificate and it seems to have accepted it!

ludobar · October 14, 2020, 11:32am

Thank you!
About the cloud broker, do I have to download the PEM certificate provided on “connect → solace Messaging” and add it to my trustsore?
I need to enable TLS/SSL encryption to connect to the cloud on port 8883 via MQTT.

swenhelge · October 14, 2020, 11:36am

The cloud broker has the MQTTS port 8883 enabled by default. A MQTT client library typically requires a trust store or trusted CA and that is what you would use the PEM file for that you can download from the cloud console

Topic		Replies	Views
Configuring the server certificate on PubSub Broker- Invalid certificate PubSub+ Event Broker cli , security , broker	5	1563	October 6, 2020
How to connect the event broker using ssl connection? PubSub+ Event Broker cli	2	889	May 17, 2022
SSL certificate PubSub+ Event Broker	1	162	May 7, 2020
Do you have any guide to setup solace/solace-pubsub-standard over SSL? PubSub+ Event Broker docker , security	1	79	October 9, 2024
Can't connect to manager using TLS on port 1943 PubSub+ Event Broker security	6	377	October 27, 2020

Upload Certificate Authority

Related topics