Integrate TrustEdge into devices

This tutorial explains how to use TrustEdge to secure IoT device communications over SSL/TLS with MQTT.

The following scenario reflects common production IoT deployments where mutual TLS (mTLS) ensures encrypted communication and device identity verification.

What you will accomplish

By completing this tutorial, you will learn how to:

Create a private CA
Issue broker and client certificates
Configure Mosquitto for TLS authentication
Connect a device using the TrustEdge MQTT client
Validate secure communication

Before you begin

Documentation:

Review the following documents before proceeding:

TrustEdge documentation
Device Trust Manager:

Hardware and software:

Ubuntu 20.04 LTS or later
TrustEdge installed. See Install and configure TrustEdge
Verify your TrustEdge installation:
```
trustedge --version
```
Progressive capability updates to TrustEdge by version are at GitHub.
Mosquitto MQTT broker
OpenSSL

Understand the TrustEdge Keystore

TrustEdge stores configuration files, certificates, key files, and CSR configuration in the Keystore directory.

Default location:

The default Keystore directory is located at /etc/digicert/Keystore/. For more details on the Keystore, see Manage the keystore.

Generate a private CA certificate using TrustEdge

Use TrustEdge to generate a private CA certificate.

The ca.conf configuration file defines the subject attributes and required certificate extensions. Save this file in the default TrustEdge Keystore location at /etc/digicert/Keystore/.

Create the CA configuration file:

cat /etc/digicert/Keystore/conf/ca.conf

##Subject
countryName=US
commonName=trustedge-ca
stateOrProvinceName=California
localityName=San Francisco
organizationName=DBA
organizationalUnitName=BU
##Requested Extensions
hasBasicConstraints=true
isCA=true
certPathLen=0
keyUsage=digitalSignature, keyEncipherment, keyCertSign
##subjectAltNames=numSANs; value1, type1; valueN, typeN
subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2

Create a server-side certificate for the MQTT broker

Create a broker configuration file similar to ca.conf.

Set commonName to match the hostname or IP address that clients use to connect. For example:

Use commonName=127.0.0.1 if clients connect to 127.0.0.1
Use commonName=localhost if clients connect to localhost
Use commonName=broker.example.com if clients connect to broker.example.com

Create the broker configuration file:

cat /etc/digicert/Keystore/conf/broker.conf

##Subject
countryName=US
commonName=trustedge-broker
stateOrProvinceName=California
localityName=San Francisco
organizationName=DBA
organizationalUnitName=BU
##Requested Extensions
hasBasicConstraints=true
isCA=false
certPathLen=-1
keyUsage=digitalSignature, keyEncipherment
##subjectAltNames=numSANs; value1, type1; valueN, typeN
subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2

Create a client-side certificate for the MQTT client

Create a client configuration file for the MQTT client certificate.

Create a client configuration file:

cat /etc/digicert/Keystore/conf/client.conf

##Subject
countryName=US
commonName=trustedge-client
stateOrProvinceName=California
localityName=San Francisco
organizationName=DBA
organizationalUnitName=BU
##Requested Extensions
hasBasicConstraints=true
isCA=false
certPathLen=-1
keyUsage=digitalSignature, keyEncipherment
##subjectAltNames=numSANs; value1, type1; valueN, typeN
subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2

Generate a Certificate Signing Request (CSR) for the Broker

Use the CA certificate to generate and sign a CSR for the broker. Ensure the broker certificate is signed by the private CA created earlier.

Configure the Mosquitto Broker

Configure the Mosquitto broker to:

Use the server certificate and private key
Trust the CA certificate
Require and verify client certificates for MQTT authentication

Secure Communication

In this section, you’ll set up a secure SSL session using TrustEdge. This process includes creating private certificates, establishing a trusted connection, and enabling encrypted communication between devices.

In this example, Mosquitto is used as the MQTT broker. For the MQTT client, this tutorial demonstrates how to use the TrustEdge built-in MQTT client to authenticate over TLS.

Step 1: Create a private CA

Generate the CA key and the certificate:

sudo -u trustedge trustedge certificate --algorithm RSA --size 2048 --csr-conf ca.conf --output-file ca.key --x509-cert ca.crt --days 3650

Step 2: Create an MQTT broker certificate signed by private CA

Create the broker configuration file:

sudo -u trustedge trustedge certificate --algorithm RSA --size 2048 --csr-conf broker.conf --signing-key ca.key --signing-cert ca.crt --digest SHA256 --output-file broker.key --x509-cert broker.crt --days 3650

Step 3: Create a client certificate signed by private CA

Create the client certificate:

sudo -u trustedge trustedge certificate --algorithm RSA --size 2048 --csr-conf client.conf --signing-key ca.key --signing-cert ca.crt --digest SHA256 --output-file client.key --x509-cert client.crt --days 3650

Step 4: Install and configure Mosquitto

Install Mosquitto:

Install Mosquitto on Ubuntu/Debian:

sudo apt-get update
sudo apt-get install openssl mosquitto mosquitto-clients

Configure Mosquitto:

Create a directory to store the certificates:

sudo mkdir -p /etc/mosquitto/certs
sudo cp /etc/digicert/Keystore/certs/broker.crt /etc/mosquitto/certs/
sudo cp /etc/digicert/Keystore/keys/broker.key /etc/mosquitto/certs/
sudo cp /etc/digicert/Keystore/certs/ca.crt /etc/mosquitto/certs/

Edit Mosquitto:

Edit the Mosquitto configuration file:

sudo nano /etc/mosquitto/mosquitto.conf

Add to Mosquitto:

Add the following lines to configure SSL:

listener 8883
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/broker.crt
keyfile /etc/mosquitto/certs/broker.key
log_type all
require_certificate true
allow_anonymous false
use_identity_as_username true

Restart Mosquitto:

Restart Mosquitto for the configuration to take effect:

sudo systemctl restart mosquitto

Step 5: Verify the TLS connection (optional)

To verify TLS authentication for the broker, replace tedemo with your machine’s hostname in the command below.

The ssl_client utility is part of the TrustCore SDK. If the SDK isn’t installed, skip this step and proceed to validating the SSL connection using the MQTT client in the next step. If the connection fails, capture network traffic with Wireshark to analyze the TLS exchange.

Verify TLS authentication for the broker:

ssl_client -ssl_ip 127.0.0.1 -ssl_port 8883 -ssl_certpath /etc/digicert/Keystore/certs/  -ssl_server_cert broker.crt  -ssl_servername tedemo

Verify TLS authentication for the client:

ssl_client -ssl_ip 127.0.0.1 -ssl_port 8883 -ssl_certpath /etc/digicert/Keystore/certs/  -ssl_server_cert client.crt  -ssl_servername tedemo

Confiure the MQTT client

Ensure your TrustEdge MQTT client is configured to use the CA certificate and the client certificate/key for SSL/TLS.

trustedge mqtt --mqtt_servername 127.0.0.1 --mqtt_port 8883 --mqtt_sub_topic my/topic --ssl_key_file /etc/digicert/Keystore/keys/client.key --ssl_cert_file /etc/digicert/Keystore/certs/client.crt --mqtt_clean_start --mqtt_transport SSL --ssl_ca_file /etc/digicert/Keystore/certs/ca.crt

Publish the MQTT message:

trustedge mqtt --mqtt_servername 127.0.0.1 --mqtt_port 8883 --mqtt_pub_topic my/topic --ssl_key_file /etc/digicert/Keystore/keys/client.key --ssl_cert_file /etc/digicert/Keystore/certs/client.crt --mqtt_pub_message "Hello world" --mqtt_clean_start --mqtt_transport SSL --ssl_ca_file /etc/digicert/Keystore/certs/ca.crt

Conclusion

This tutorial demonstrated how to use TrustEdge to secure IoT device communication over SSL/TLS and authenticate clients with the built-in MQTT publish/subscribe client.

You generated private keys, created CA and server-side certificates, and configured the Mosquitto broker to enforce secure, certificate-based authentication. These steps reflect a typical IoT deployment scenario, where encrypted communication and strong client verification aren’t optional—they’re foundational.

By applying this approach with TrustEdge, you can establish trusted connections between devices, protect data in transit, and strengthen the overall security posture of your IoT environment.