TLS in Node-RED for MQTT
Use TLS in Node-RED for MQTT
Use TLS in Node-RED for MQTT
This tutorial uses Node-RED to establish a secure MQTT connection between FairCom Edge and MQ servers and client applications.
Ensure you have properly enabled TLS and created and configured TLS certificates. See Secure MQTT with certificates.
You must create a separate server certificate for each computer that runs a FairCom server. Each FairCom server must be configured to use the appropriate server certificate for the computer on which it runs
Each user must have a unique client certificate. A client certificate allows a client program to identify itself to a FairCom server. Each program that wants to use a certificate must be configured to send the certificate to the server.
Note
Do not use a client certificate in a client program to connect to a FairCom server that is not configured with a certificate.
Create a new flow.
Add these four nodes:
"mqtt in"
,"debug"
,"inject"
, and"mqtt out"
.Wire the output of the
"mqtt in"
node to the input of the"debug"
node.Wire the output of the
"inject"
node to the input of the"mqtt out"
node.Double-click the
"inject"
node and change themsg.payload
drop-down to"timestamp"
.Change its name to
"Timestamp"
.Click
.The flow should look like this:
Double-click on the "mqtt out" node to configure the node and create a connection to the broker.
On the "Topic" field, enter test/Node-RED/certificate_timestamp.
Set "QoS" to 1.
Set "Retain" to "false".
Leave the name blank.
The node should look like this:
On the "Server" row, click the drop-down menu and select "Add new mqtt-broker…".
Click the pencil icon to the right of that drop-down menu to create the server connection.
Give the connection a name such as "FairCom MQTT with certificates".
Set the "Server" field to the network address of the FairCom MQTT broker.
Set the "Port" to the MQTTS port of the FairCom MQTT broker (typically 8883).
Leave "Connect automatically" checked.
Check the "Use TLS" box.
The connection should look like this:
Click the pencil icon to the right of the "Use TLS" drop-down menu to create the new TLS configuration.
If "Use key and certificates from local files" is checked, the files will be loaded from the file system every time Node-RED is started or redeployed. If it is unchecked, the certificates will be uploaded to Node-RED and the files can be removed from the file system. In this tutorial, we leave the box unchecked.
Click the "Upload" button next to "Certificate" to select the client certificate to use.
If your certificate contains both the client certificate and client key, you do not need to upload a key file.
If your client key is in its own file, click the "Upload" button next to "Private Key" to select the client key to use.
Click the "Upload" button next to "CA Certificate" to select the Certificate Authority certificate to use.
Leave "Verify server certificate" checked.
The TLS configuration should look like this:
Click "Update".
On the "Edit mqtt-broker node" screen, ensure the TLS drop-down menu shows the TLS configuration you just created, and click "Update".
On the "Edit mqtt out node" screen, ensure the Server drop-down menu shows the broker connection you just created, and click "Done".
Double-click the "mqtt in" node.
For the server, select the drop-down menu and select the server you just configured.
Leave the "Action" set to "Subscribe to single topic".
Set the "Topic" to test/Node-RED/certificate_timestamp.
Set the "QoS" to 1.
Leave the "Output" set to "auto-detect".
Leave the "Name" blank.
The "mqtt in node" should look like this:
Optionally rename the debug node.
Click "Deploy".
Click the blue square to the left of the inject node.
A timestamp is sent to the "mqtt out" node.
The flow should look like this: