The device can't connect to the mqtt server after the certificate has been changed on the server

xlfdan
Posts: 4
Joined: Wed Nov 25, 2020 8:09 am

The device can't connect to the mqtt server after the certificate has been changed on the server

Postby xlfdan » Wed Nov 25, 2020 9:08 am

After the mqtt one-way authentication domain name certificate is expired and reissued, the device cannot connect to the server

1,
Our domain name certificate is issued by TrustAsia ov TLS Pro Ca, a member of CA,
This certificate is stored on the server and is used as one-way authentication certificate for the HTTPS website (Port 443) and mqtt broker SSL Certificate (port 8883).
The same certificate is also imported and used in the firmware of our mqtt devices.


Please note: This certificate is limited by time. After expiration, you must get a new certificate from the CA. in this way, the content of this certificate will change.
As a result, our mqtt device cannot connect to the mqtt server.
Is there a "general" certificate on the mqtt device, after using this general certificate on the device, no matter how the certificate on the server is updated, the device can normally connect to the mqtt server.

Does this "general" certificate exist? Where can I get it?


2,
If there is no "general" certificate above, what kind of certificate should we import on the device side to maintain the connection with the server regardless of the server
Whether the certificate has been updated.


3,
In ESPRESSIF ESP Programming Guide:
https://docs.espressif.com/projects/esp ... t=cert_pem
The method of generating certificates used in esp32 firmware is as follows:
openssl s_client -showcerts -connect mqtt.eclipse.org:8883 </dev/null 2>/dev/null|openssl x509 -outform PEM >mqtt_eclipse_org.pem


We have imported the mqtt_web_com.pem into our devcies.
When the domain name certificate on the server is expired and reissued, that is, the certificate has changed, can the shipped device still connect to the mqtt SSL server normally?


What should I do if the device can't connect to the mqtt server?

Thanks.

ESP-Marius
Posts: 74
Joined: Wed Oct 23, 2019 1:49 am

Re: The device can't connect to the mqtt server after the certificate has been changed on the server

Postby ESP-Marius » Thu Nov 26, 2020 8:17 am

Hi,

On esp32 mbedtls is compiled without "time" support by default. This is controlled by MBEDTLS_HAVE_TIME_DATE in menuconfig.

If this is set to "no" then you will still be able to connect even if the certificate is expired.

One option is to put the root certificate (of the certificate used to sign your certificate) on the device as the trusted certificate instead of your own certificate. This will have a much longer expiration date than your own certificate. As long as your certificate is always signed by the same root, embedding the root certificate will also allow you to verify your server certificate.

If you embedded mqtt_eclipse_org.pem and it changes and MBEDTLS_HAVE_TIME_DATE is enabled then yes, you will not be able to connect to the broker. If the embedded certificate is expired our about to expire then you would have to do a software update which includes a new certificate. Of course if your software update method depends on SSL then it's important to do this before the old certificate expires, or you wouldnt not be able to connect to the server for updates anymore.

dastoned
Posts: 50
Joined: Fri May 29, 2020 2:52 pm

Re: The device can't connect to the mqtt server after the certificate has been changed on the server

Postby dastoned » Thu Nov 26, 2020 8:57 am

xlfdan wrote:
Wed Nov 25, 2020 9:08 am
Is there a "general" certificate on the mqtt device, after using this general certificate on the device, no matter how the certificate on the server is updated, the device can normally connect to the mqtt server.

Does this "general" certificate exist? Where can I get it?
What you call "general" certificate is the CA certificate of your certificate authority - TrustAsia. You would put their CA certificate in your device. Any updated certificate you introduce to your server will be automatically trusted by your device, as long as TrustAsia has signed it. Their certificate is valid until 2027-11-02, so you'd have to update the devices with new CA certificates before that.

Alternatively, you could choose to trust TrustAsia's issuer - DigiCert Global Root G2 which is valid until 2038.

Note that if you use TrustAsia's or DigiCert's root certificate, your device will trust all certificates issued by this CA - not only those issued to your company. Connecting to a DNS name should protect from MITM and service spoofing, but it's your responsibility to worry about the security of your system :)

xlfdan
Posts: 4
Joined: Wed Nov 25, 2020 8:09 am

Re: The device can't connect to the mqtt server after the certificate has been changed on the server

Postby xlfdan » Thu Nov 26, 2020 10:05 am

Thank you @ESP-Marius, I see.

Thank you very much @dastoned, You're saying exactly what I want.

xlfdan
Posts: 4
Joined: Wed Nov 25, 2020 8:09 am

Re: The device can't connect to the mqtt server after the certificate has been changed on the server

Postby xlfdan » Thu Nov 26, 2020 10:21 am

Hi dastoned,

What is the relationship between DigiCert and TrustAsia ov TLS Pro Ca?

Why the DigiCert Global Root CA on my device can trust many different certificates that signed by TrustAsia?

Thank you very much!

dastoned
Posts: 50
Joined: Fri May 29, 2020 2:52 pm

Re: The device can't connect to the mqtt server after the certificate has been changed on the server

Postby dastoned » Thu Nov 26, 2020 12:12 pm

xlfdan wrote:
Thu Nov 26, 2020 10:21 am
What is the relationship between DigiCert and TrustAsia ov TLS Pro Ca?

Why the DigiCert Global Root CA on my device can trust many different certificates that signed by TrustAsia?
The DigiCert CA is a root certificate, trusted globally because everybody agrees so. It is used to issue the TrustAsia's certificate. TrustAsia's certificate is then used to issue your certificate. You can choose to trust any of the three in your device, resulting in different trust scopes and expiration deadlines.

I'd recommend this overview of how x509 certificate chains work:
https://www.venafi.com/blog/how-do-cert ... hains-work

When you start adding global root CA-s into your device you might want to look at this:
https://docs.espressif.com/projects/esp ... undle.html

Note that if you only connect to your own servers, then perhaps the full root certificate bundle from Mozilla is an overkill. You might build your own bundle which only consists of the DigiCert CA - assuming your local CA (TrustAsia) will receive their certificates issued by that exact same CA until 2038. Tricky :)

Who is online

Users browsing this forum: ESP_Sprite and 132 guests