...

Configuration file mosquitto.conf

The example shows the configuration on Windows; the paths on Linux OS need to be adjusted (the Example for configuration on Linux Ubuntu (the broker.conf configuration file itself can be located, for example, in /etc/mosquitto/mosquitto.conf).is located in /etc/mosquitto/conf.d):

#MQTTS listener on port 8883
listener 8883
#broker certificate
certfile /etc/mosquitto/certs/broker.crt
#broker private key
keyfile /etc/mosquitto/certs/broker.key
#require valid certificates of clients
require_certificate true
#file with certificate authority's public key(s)
cafile /etc/mosquitto/ca_certificates/caMQTT.crt
#use CN (Common Name) of client certificate as username (and ignore MQTT username+password)
use_identity_as_username true
#password file is not used for username/password verification (due to use_identity_as_username true)
#password_file pwfile
#acl file with defined access rights
acl_file /etc/mosquitto/myacl.conf 

The example for configuration on Windows:

#MQTTS listener on port 8883
listener 8883
#broker certificate
certfile c:\Program Files (x86)\mosquitto\broker.crt
#broker private key
keyfile c:\Program Files (x86)\mosquitto\broker.key
#require valid certificates of clients
require_certificate true
#file with certificate authority's public key(s)
cafile c:\Program Files (x86)\mosquitto\caMQTT.crt
#use CN (Common Name) of client certificate as username (and ignore MQTT username+password)
use_identity_as_username true
#password file is not used for username/password verification (due to use_identity_as_username true)
#password_file pwfile
#acl file with defined access rights
acl_file c:\Program Files (x86)\mosquitto\myacl.conf

...

The certification authority certificate (caMQTT.crt) must be copied to the MQTT broker so that the MQTT broker can use it to verify the validity of MQTT client certificates (directory /etc/mosquitto/ca_certificates).

Note: In the case of redundant MQTT brokers and redundant D2000 application servers (and other MQTT clients), it is necessary to copy the certification authority certificate to all relevant servers!

...

The broker.crt file (MQTT broker certificate) must be copied to the MQTT broker, along with the broker.key file (MQTT broker private key) to directory /etc/mosquitto/certs. It is also recommended to protect the the broker.key file (with access rights, encryption) so that only the user under whom the MQTT broker is running has access to it.

...

If you created a certification authority above, you are creating a certificate (signing a certificate signing request). Otherwise, you send the myPLC.csr file for signing to the appropriate certification authority (e.g., the company's IT department).
The -days parameter specifies the certificate validity period in days.

openssl x509 -req -inmyPLCin myPLC.csr -CA caMQTT.crt -CAkey caMQTT.key -CAcreateserial -out myPLC.crt -days 1000

...

Just as the key for the myPLC MQTT client was created and signed, it is necessary to create and sign the key for the myD2000 MQTT client. Its public certificate (myD2000.crt) must again be copied to the MQTT broker directory. The public certificate (myD2000.crt) and private key (myD2000.key) must be copied so that D2000 KOM can access them (the easiest way is to the application directory) and set the path to them as the parameters "My certificate" (#APPDIR#\myD2000.crt) and "My key" (#APPDIR#\myD2000.key) in the TCP/IP-TCP Redundant configuration.

The configuration of a D2000 line of type TCP/IP-TCP Redundant will look like this:

Image Added

Note: It is recommended to protect the private key for the D2000 MQTT client (myD2000.key) with a password, which must be entered in the "Pre-shared key" field. For more information, see the TCP/IP-TCP Redundant line description.

...