Signing Service

As of Niagara 4.14, in the abstractMqttDriver palette, DefaultMqttDevice contains an Individual Signed Cert Config component that allows the device to submit a CSR to a Signing Service, which results in an automatically signed client certificate that is auto-renewed prior to expiry. For more details, see “Niagara Signing Service Guide”.

Best practices

  • Use a secure channel to download any external device or broker certificates.

  • Ensure any copies of these certificates that contain private keys are stored in a secure and encrypted key store or volume where only those that require access have permissions to read the key.

  • Installing any brokers server certificate (or CA certificate) into the User Trust Store means that you will not need to re-approve connections if the broker’s address or port changes in the future. This step is not required if the root CA already appears in the System Trust Store.

Cloud-specific brokers

AWS and GCP devices also use TLS client certificate authentication to encrypt communication and authenticate the broker to the client. For more information about the GCP procedures, see “Abstract MQTT Driver with GCP Authenticator”.

AWS IoT requires the Mqtt client to register with AWS IoT, which generates a client certificate. To install the client certificate , follow the “Importing the certificate” steps in the “Setting up client certificate authentication” chapter.

  1. Expand Config > Drivers > AbstractMqttDriverNetwork > AwsMqttDevice and double-click authenticator.

  2. To select the client certificate, expand Certificate Alias And Password and use the Alias drop-down list.

You are ready to connect your client to the broker.

For easier onboarding of several devices to AWS, consider an alternative workflow described at “Aws Jitp Mqtt Authenticator (abstractMqttDriver-AwsJitpMqttAuthenticator)”.