Skip to main content
A
Anzal3c3
Associate
August 23, 2024
Solved

STSAFE- A110 mqtt tls authentication

  • August 23, 2024
  • 2 replies
  • 1658 views

Hello, I am confused in finalizing a secure chip for my iot gateway(linux). I read all the documents for ST SAFE-A110. My gateway has an mqtt broker which is bridged to another broker in cloud. In order to Implement TLS for mqtt i need to provide key and certificate path in the mosquitto broker configuration file. Which is impossible since key is stored in the chip and is not user readable.

question:

1. How to implement tls over mqtt using STSAFE-A110?

 

I have read that there is a challenge given to the chip to authorise a connection from cloud is it generically said in the case of tls or any additional program needs to be run in cloud to acheive this or this will only work in case of clouds like Azure or AWS ? is it possible to do secure authentication using oem cloud??

 

i am new to this security kind of application any help would be much appreciated.

Best answer by Benjamin BARATTE

Hi @Anzal3c3,

Actually Mosquitto is supporting OpenSSL and Engine as well, therefore you can have a look at the STSAFE-A OpenSSL package (https://www.st.com/en/embedded-software/stsw-stsa110-ssl.html).

With the STSAFE-A OpenSSL Engine, you will be able to configure the mosquitto client with the tls-engine parameter and the tls_keyform set to "engine" and this should automatically use the STSAFE-A to authenticate within the TLS session.

 

Regarding the interaction with OEM Cloud, what is important is that has a certificate for the STSAFE-A which is recognized by the OEM Cloud. This means that you need to configuration the CA (Certificate Authority) certificate of your STSAFE-A to your OEM Cloud.

With such configuration, it will be transparent as the certificate verification is built-in the TLS handshake.

 

Regarding the configuration of the STSAFE-A, you have by default a X509 certificate in the STSAFE-A which is signed by a generic ST CA, for testing you can use this CA to your OEM Cloud but avoid to use this generic ST CA in production.

For the production, you can check with your local support to get a dedicated STSAFE-A profile or you can regenerate a certificate for the STSAFE-A using your own CA (you will find example to do so in the STSAFE-A OpenSSL Engine package).

 

Best Regards,

Benjamin

2 replies

B
Benjamin BARATTEBest answer
ST Employee
August 23, 2024

Hi @Anzal3c3,

Actually Mosquitto is supporting OpenSSL and Engine as well, therefore you can have a look at the STSAFE-A OpenSSL package (https://www.st.com/en/embedded-software/stsw-stsa110-ssl.html).

With the STSAFE-A OpenSSL Engine, you will be able to configure the mosquitto client with the tls-engine parameter and the tls_keyform set to "engine" and this should automatically use the STSAFE-A to authenticate within the TLS session.

 

Regarding the interaction with OEM Cloud, what is important is that has a certificate for the STSAFE-A which is recognized by the OEM Cloud. This means that you need to configuration the CA (Certificate Authority) certificate of your STSAFE-A to your OEM Cloud.

With such configuration, it will be transparent as the certificate verification is built-in the TLS handshake.

 

Regarding the configuration of the STSAFE-A, you have by default a X509 certificate in the STSAFE-A which is signed by a generic ST CA, for testing you can use this CA to your OEM Cloud but avoid to use this generic ST CA in production.

For the production, you can check with your local support to get a dedicated STSAFE-A profile or you can regenerate a certificate for the STSAFE-A using your own CA (you will find example to do so in the STSAFE-A OpenSSL Engine package).

 

Best Regards,

Benjamin

    A
    Anzal3c3Author
    Associate
    August 27, 2024

    Thank You @Benjamin BARATTE one more question to ask is How do i implement device authentication do ST provide any SDKs for that or i have to implement any mechanism(application) to authenticate devices on Cloud side? 

    B
    Benjamin BARATTE
    ST Employee
    August 27, 2024

    Hi @Anzal3c3,

     

    The advantage of the TLS integration is that on server side you need to enable the client authenticate and you will have the device authentication in your connection.

    If you use your own Cloud, you will need to configure your server with the device authentication and the CA certificate that has signed your STSAFE-A device certificate.

    On Server side, we use AWS or Azure which offer the Bring Your Own CA mechanism which is compatible with STSAFE-A solution for demonstration purpose.

     

    Best Regards,

     

    Benjamin

    A
    Anzal3c3Author
    Associate
    August 27, 2024

    That means all i need is to have My own CA  OR do i need to implement any mechanism to authenticate on top of having a CA . Sorry for double checking i am pretty much new to the concept

    Terms & ConditionsAccessibility statement