Insights Hub Updating MindConnect MQTT Broker Certificate Replacement
Summary
This article provides step-by-step instructions on how to update the current broker certificate.
Details
You received an Insights Hub notification that the MindConnect MQTT broker certificate needs to be replaced as the current certificate will expire Monday May 20, 2024. The current QuoVadis certificate will be replaced by a DigiCert certificate.
|
Current Expiring Certificate |
New Replacement Certificate |
|
MindConnect MQTT Broker Certificate - QuoVadis Root CA 2 G3 |
MindConnect MQTT Broker Certificate - DigiCert Global Root G2 |
|
MindSphereRootCA1.pem |
DigiCertGlobalRootG2.crt.pem |
For details visit: https://documentation.mindsphere.io/MindSphere/howto/howto-mindconnectmqtt-certificate-expiration.html
Things to note:
- You do not need to upload new X.509 certificates and generate new agent certificates. Only the broker certificate is changing.
- Only MindConnect MQTT agents are affected. If not updated, these agents will no longer be able to connect to Insights Hub after this date.
- Both certificates are not valid at the same time. This means you cannot replace the current certificate with the new certificate now. You will receive an error "Error: unable to get local issuer certificate".
You will need to switch out the certificate in your MQTT agent after this date. To avoid connectivity issues and downtime, here are some options you can do ahead of the expiration:
Option 1: If your device uses a trust store, you can add the new certificate so both current and new certificates are trusted. Visit the documentation page for some Python and Java examples.
Option 2: You can create a combined certificate by copying the contents of both certificates into a single one. This allows seamless connection now and after the expiration. Step-by-step instructions:
- Download both broker certificates. See below for location.
- Make a copy of the MindSphereRootCA1.pem file so you have two copies.
- Rename the copy to something memorable. E.g., CombinedCerts.pem
- Open both CombinedCerts.pem and DigiCertGlobalRootG2.crt.pem in a text editor.
- Copy the contents of DigiCertGlobalRootG2.crt.pem and append it to CombinedCerts.pem. Your file should look similar in the text editor:
-----BEGIN CERTIFICATE-----
MIIDjjCCA...<truncated for readability>-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- <--appended new cert content here
MIIFY...<truncated for readability>-----END CERTIFICATE-----
- Save the CombinedCerts.pem file. You should now have the following files in your directory:
MindSphereRootCA1.pem (original)
DigiCertGlobalRootG2.crt.pem (original)
CombinedCerts.pem (new combined) - In your MQTT device agent, replace the use of MindSphereRootCA1.pem with the new combined certificate CombinedCerts.pem. Your agent will continue to be able to connect to Insights Hub now and after the current certificate expires.
For Reference:
Download current and new broker certificates in Insights Hub:
- In the Asset Manager application, click the Connectivity menu and click MQTT Certificates:
- Click the Download broker certificate link to download current and new certificate files:
- You should now have the following files saved to your browser download folder:
MindSphereRootCA1.pem
DigiCertGlobalRootG2.crt.pem