In the previous article, we succeeded in creating deployment and connecting devices on EMQX Cloud. To secure the connection, we need to set up TLS/SSL to enable the 8883 port.
In GCP IoT Core, the connection uses a TLS/SSL one-way authentication handshake. This TLS handshake is initiated via mqtt.googleapis.com or the long-term support domain mqtt.2030.ltsapis.goog on port 8883 or 443.
EMQX Cloud, as an MQTT messaging cloud service for the IoT, supports connection via TLS/SSL ports with customer defined TLS/SSL, ensuring data security and privacy at the transport layer.
This article will describe how to connect GCP IoT Core devices to EMQX Cloud via TLS/SSL ports.
EMQX Cloud Professional Deployment provides custom one-way/two-way TLS/SSL configurations, as follows:
| Certification Mode | Support self-signed certificate | Server certificate | Certificate chain | Private key | Client CA certificate |
|---|---|---|---|---|---|
| one-way Authentication | Yes | required | required | required | not required |
| two-way Authentication | Yes | required | required | required | required |
-
Login to the EMQX Cloud Console.
In deployment overview, click +TLS/SSL to configure the certificate contents. You can upload a file or fill in the certificate contents directly in the popup window.
-
The following configuration items are needed to be filled in.
- Type of certification:
- One-way authentication: only the client verifies the server-side certificate
- Two-way authentication: the client and the server validate each other's certificates.
- Certificate: server-side certificate
- Certificate chain: the certificate chain, which is usually provided when a third party issues a certificate, can be completed by going to Certificate chain completion if it is missing.
- Certificate private key: server-side private key
- Client CA certificate: the client's CA certificate is required when selecting a two-way certification
- Type of certification:
-
It's all done when TLS/SSL status is running.
Before testing, make sure that you have created authentication information, refer to Certification and Authentication. In this tutorial we will use MQTTX for testing:
-
To create a new connection, enter the Name, Client ID is randomly generated
-
Select Host and fill in the deployed connection address and port
- If you select an SSL connection, select ports
mqtts:// and 8883 - If you select WebSocket with SSL, select ports
wss:// and 8084
- If you select an SSL connection, select ports
-
Enter the authentication information you have created: username and password
-
Select true on SSL/TLS
-
Certificate selection
- Certificates certified by third-party authorities, no CA certificate required
- For self-signed certificates, a server-side CA certificate is required or, for two-way certification, a client-side certificate and private key are required
-
Turn on strict mode
-
Click on Connect
So far, we have completed the process of connecting the GCP IoT Core device to EMQX Cloud through the TLS/SSL port. You can refer to this article to practice the encrypted communication of the transport layer between the device and the application. Stay tuned for more tutorials!
- Migrate Your Business from GCP IoT Core 01 | Create Deployment and Connect Devices
- Migrate Your Business from GCP IoT Core 03|Use JSON Web Token (JWT) to Verify Device Credentials
- Migrate Your Business from GCP IoT Core 04|VPC Network Peering and Transfer Data to GCP
- Migrate Your Business from GCP IoT Core 05|Bridge Data to GCP Pub/Sub