Migrate Your Business from GCP IoT Core 02 | Enable TLS/SSL over MQTT to Secure Your Connection
EMQX Cloud Team
In the previous article, we succeeded in creating deployment and connecting devices on EMQX Cloud. To secure the connection, we need to set up TLS/SSL to enable the 8883 port.
In GCP IoT Core, the connection uses a TLS/SSL one-way authentication handshake. This TLS handshake is initiated via mqtt.googleapis.com or the long-term support domain mqtt.2030.ltsapis.goog on port 8883 or 443.
EMQX Cloud, as an MQTT messaging cloud service for the IoT, supports connection via TLS/SSL ports with customer defined TLS/SSL, ensuring data security and privacy at the transport layer.
This article will describe how to connect GCP IoT Core devices to EMQX Cloud via TLS/SSL ports.
TLS/SSL Configuration
EMQX Cloud Professional Deployment provides custom one-way/two-way TLS/SSL configurations, as follows:
| Certification Mode | Support self-signed certificate | Server certificate | Certificate chain | Private key | Client CA certificate |
|---|---|---|---|---|---|
| one-way Authentication | Yes | required | required | required | not required |
| two-way Authentication | Yes | required | required | required | required |
Login to the EMQX Cloud Console.
In deployment overview, click +TLS/SSL to configure the certificate contents. You can upload a file or fill in the certificate contents directly in the popup window.
The following configuration items are needed to be filled in.
- Type of certification:
- One-way authentication: only the client verifies the server-side certificate
- Two-way authentication: the client and the server validate each other's certificates.
- Certificate: server-side certificate
- Certificate chain: the certificate chain, which is usually provided when a third party issues a certificate, can be completed by going to Certificate chain completion if it is missing.
- Certificate private key: server-side private key
- Client CA certificate: the client's CA certificate is required when selecting a two-way certification
- Type of certification:
It's all done when TLS/SSL status is running.
Connection Test
Before testing, make sure that you have created authentication information, refer to Certification and Authentication. In this tutorial we will use MQTTX for testing:
- To create a new connection, enter the Name, Client ID is randomly generated
- Select Host and fill in the deployed connection address and port
- If you select an SSL connection, select ports
mqtts:// and 8883 - If you select WebSocket with SSL, select ports
wss:// and 8084
- If you select an SSL connection, select ports
- Enter the authentication information you have created: username and password
- Select true on SSL/TLS
- Certificate selection
- Certificates certified by third-party authorities, no CA certificate required
- For self-signed certificates, a server-side CA certificate is required or, for two-way certification, a client-side certificate and private key are required
- Turn on strict mode
Click on Connect
Summary
So far, we have completed the process of connecting the GCP IoT Core device to EMQX Cloud through the TLS/SSL port. You can refer to this article to practice the encrypted communication of the transport layer between the device and the application. Stay tuned for more tutorials!
Other articles in this series
- Migrate Your Business from GCP IoT Core 01 | Create Deployment and Connect Devices
- Migrate Your Business from GCP IoT Core 03|Use JSON Web Token (JWT) to Verify Device Credentials
- Migrate Your Business from GCP IoT Core 04|VPC Network Peering and Transfer Data to GCP
- Migrate Your Business from GCP IoT Core 05|Bridge Data to GCP Pub/Sub