Appendixes PKI keys and certificates TLS client with MQTT Sample configurations as MQTT-TLS client
April 13, 2023 at 2:40 AMSample configurations as MQTT/TLS client
The following paragraphs describe how to connect the SpringCore device to the SpringCard MQTT server for testing purposes, or to your own MQTT server, using only ECC key 0D and predefined SpringCard-supplied certificate 0D.
Connecting to mqtt.springcard.com
Principles
mqtt.springcard.com is a MQTT server set-up and managed by SpringCard to help customers test and adopt the SpringCore+MQTT architecture.
The certificate of the SpringCore Client CA is already known by the MQTT server and any client owning a certificate signed by this CA is allowed to connect. Therefore, any genuine SpringCore device is allowed to connect to this server and to publish (within its own topic).
The MQTT server features a readonly, open access through its WebSocket port, and the web page https://mqtt.springcard.com shows the message that are pushed by the devices in realtime. Alternatively developers may use a PC-based MQTT client software (such as MQTT Explorer) to connect (with a readonly access) to the MQTT server. The procedure to obtain a client certificate is detailed in the SDK.
This is usefull for developments, tests and demos, but shall not be used for production since all the messages going through the server could be observed publicly.
Device configuration
To connect your SpringCore device to publish on mqtt.springcard.com, configure the device as follow:
| Register | Content |
|---|---|
0280 IPv4 Settings |
IPv4 parameters (address, mask, gateway, DNS servers) Leave empty for DHCP operation |
0285 MQTT : Network ports |
Listen port of the MQTT server Leave empty for default value 8883 |
0286 MQTT : Server |
Hostname of MQTT server:"mqtt.springcard.com" |
0288 MQTT : TLS Options |
Use the following settings: - TLS enabled - SNI enabled - Verify CN (Server Name) - Verify server certificate - Verify public key only - Server certificate is in slot 7 ( 07)- Enable client authentication - Client certificate is in slot 13 ( 0D)- Client private key is in ATECC - Client private key is in slot 13 ( 0D)- Don’t chain CA certicate with client certificate The value to put in the register is therefore 13078D4D00 |
0289 MQTT : Client Options |
Use the following settings: - QoS used for subscribing: 1 - QoS used for publishing: 1 - Don’t create topic before subscribe - Disable Last Will Message - Disable Retained Messages - Connection timeout: 30s - Response timeout: 3s - Keep alive interval: 10s - Status publish interval: 30s - Reconnect interval: 30s The value to put in the register is therefore 5014030A1E1E |
028B MQTT : Login |
Must be empty. Authentication relies on TLS certificate and private key only. |
028C MQTT : Password |
Must be empty. Authentication relies on TLS certificate and private key only. |
028D MQTT : Client ID |
Leave empty. Doing so, the device uses its Serial Number as Client ID. |
028E MQTT : Topic prefix |
Leave empty. Doing so, the device’s topics are under "springcard/springcore". |
028F MQTT : Device ID |
Leave empty. Doing so, the device uses its Serial Number as Device ID. |
02C0 Main configuration : Profile |
Set to 64 for Smart Reader operation through MQTT client |
The certificate of the server need to be stored at the slot 7 in the device.
If you have the SpringCore Tools installed, just run the command
> SpringCoreConfig --url https://docs.springcard.com/books/SpringCore/Appendixes/PKI_keys_and_certificates/TLS_client_with_default_certificate/springcore-mqtt-springcard.json
(you may have to specifiy how the software shall connect to the SpringCore device at the end of the command-line).
You may also download the springcore-mqtt-springcard.json file manually and edit its content as required.
Testing
Launch a web browser and go to mqtt.springcard.com to see the events coming from active SpringCore devices in realtime.
Reset your SpringCore device to apply the new configuration, and watch for its serial number (DeviceId) in the incoming event.
Connecting to AWS IoT Core
WARNING: PRELIMINARY INFORMATION - SERVICE IS NOT YET AVAILABLE
Amazon Web Services (AWS) is the most popular cloud service provider in the world. AWS IoT is a set of protocols and services specifically designed to connect IoT devices with cloud solutions. AWS IoT Core is a message broker that supports a subset of the MQTT protocol.
SpringCard has set-up an AWS IoT Core MQTT instance and makes it available to its customers for development, test and demonstration purposes.
The certificate of the SpringCore Client CA is already known by this instance of AWS IoT Core, and any client owning a certificate signed by this CA is allowed to connect. Therefore, any genuine SpringCore device is allowed to connect to this instance and to publish (within its own topic).
The MQTT server features a readonly, open access through its WebSocket port, and the web page https://mqtt.springcard.com shows the message that are pushed by the devices in realtime. Alternatively developers may use a PC-based MQTT client software (such as MQTT Explorer) to connect (with a readonly access) to the MQTT server. The procedure to obtain a client certificate is detailed in the SDK.
This is usefull for developments, tests and demos, but shall not be used for production since all the messages going through the server could be observed publicly.
Device configuration
To connect your SpringCore device to publish on mqtt.springcard.com, configure the device as follow:
| Register | Content |
|---|---|
0280 IPv4 Settings |
IPv4 parameters (address, mask, gateway, DNS servers) Leave empty for DHCP operation |
0285 MQTT : Network ports |
Listen port of the MQTT server Leave empty for default value 8883 |
0286 MQTT : Server |
Hostname of MQTT server:"acztxc1o83ew9-ats.iot.us-west-2.amazonaws.com" |
0288 MQTT : TLS Options |
Use the following settings: - TLS enabled - SNI enabled - Verify CN (Server Name) - Verify PKI - Verify public key only - Server certificate is in slot 8 ( 08)- Enable client authentication - Client certificate is in slot 13 ( 0D)- Client private key is in ATECC - Client private key is in slot 13 ( 0D)- The CA of the client certificate shall be chained with the client certificate itself - CA of the client certificate is in slot 15 ( 0F)The value to put in the register is therefore 3F098D4D8F |
0289 MQTT : Client Options |
To be written The value to put in the register is therefore 561E3C3C |
028B MQTT : Login |
Must be empty. Authentication relies on TLS certificate and private key only. |
028C MQTT : Password |
Must be empty. Authentication relies on TLS certificate and private key only. |
028D MQTT : Client ID |
Leave empty. Doing so, the device uses its Serial Number as Client ID. |
028E MQTT : Topic prefix |
Leave empty. Doing so, the device’s topics are under "springcard/springcore". |
028F MQTT : Device ID |
Leave empty. Doing so, the device uses its Serial Number as Device ID. |
02C0 Main configuration : Profile |
Set to 64 for Smart Reader operation through MQTT client |
If you have the SpringCore Tools installed, just run the command
> SpringCoreConfig --url https://docs.springcard.com/books/SpringCore/Appendixes/PKI_keys_and_certificates/TLS_client_with_default_certificate/springcore-mqtt-aws-europe.json
(you may have to specifiy how the software shall connect to the SpringCore device at the end of the command-line).
You may also download the springcore-mqtt-aws-europe.json file manually and edit its content as required.
Testing
To be written