Security Certificates (SSL/TLS)
With version 1.1.0 of SmoothMQTT support for TLS is fully implemented. And it is implemented in the typical No-Code fashion SmoothMQTT is known for. You will need to have certificates in .pfx and .crt format. If you have other formats, check the appendix for a very short step by step guide on how to convert them with openSSL.
Fully implemented is unfortunately limited by the availability of functions in Mono C#. Therefore it is paramount, that you understand, there is no validation of the certificates. Certificates are loaded and used, so your data is not transmitted as plaintext, however, since there is no validation code in place, it is not considered secure from a cybersecurity point of view. Some programming is involved in getting this functionality added, which is out of scope of this asset.
tip
A set of example certificates is included in the package, all pfx files have the password 1234.
danger
DO NOT(!) use these certificates in your final project. These are for educational purposes only and are by no means secure!!!
That said, the creation process of certificates and securing it properly is expert knowledge. So if you need to have a secure connection that carries a high risk for damage or casualties when compromised, please consult an IT specialist for MQTT and certificate management. Feel free to reach out to Simon Schliesky Softwarelösungen as one option.
Minimal Requirements
To successfully encrypt your mqtt connection you need to have at least 2 certificates.
- A client certificate containing a public and private part (.pfx format)
- The root Certificate Authority (CA) certificate that signed the broker's certificate (.crt or .pem format)
If you get these from your broker provider you are good to go. If you get separate files for the client certificate's private and public part, check the appendix for instructions on conversion. For creating self-signed certificates check the appendix.
If you want to run the internal SmoothMQTT broker you also need: 3. A server/broker certificate containing a public and private part (.pfx format)
Ultimately you need to place the certificates in StreamingAssets/certificates, but worry not, there is a single click solution for you in the asset.
Example scene 101 shows the use of certificates. Before running it, the certificates need to be linked in the assets and copied to StreamingAssets though.
Certificate Assets
To link up certificates to smoothMQTT you will create scriptable certificates by right-clicking in your project view and selecting Create->SmoothMQTT->Certificate For each certificate you will need one. The suggested naming scheme is:
- CA certificate
- client certificate
- [broker certificate]
When you select one of these asset files, the inspector window will show a few configuration options. First and foremost, you need to set the path to your .crt, .pem, or .pfx file. Click the browse button and select a certificate file using your system's explorer.
After selecting a certificate with only a public part (e.g. ca.crt) the certificate is shown right away and can be copied to the correct folder by clicking "Copy File to Streaming Assets now."
If you select a pfx file, that includes a (by default) password protected private key, it looks like that
The certificate is not shown, because it can't be decoded without a password. As soon as you enter the correct password, it should show the certificate as seen above. Unless already done, copy the certificate file to StreamingAssets by clicking the button.
caution
If there is already a certificate in StreamingAssets/certificates with the same file name and you want to replace it, you need to delete it manually first.
MQTT Settings Component
In order to use the prepared certificates during connections find your settings component (usually on the MqttManagerWith(out)Broker Gameobject) and link the certificate assets to the matching variables.
CA certificate and client certificate are mandatory to use SSL. A server certificate is only necessary, if you plan on using the internal broker.
Make sure to check useSSL and change the port according to your broker's port (default: 8883).
For the time being, SmoothMQTT can only use a single client certificate for all scripts accessing MQTT either as publisher or subscriber*.
That is pretty much it. And from here you can connect your devices with secure communication. Teaching the fundamentals of certificates is out of scope of this manual, however you may find one or two neat tricks in the Appendix A
*
If you need certificates per client and happen to do so in a commercial project, please contact me for a paid offer. This way you will get a good deal and everyone nice functionality :)