Insights Hub Updating MindConnect MQTT broker certificate expiring Monday May 20, 2024



This article provides step-by-step instructions on how to update the current broker certificate.


You received an Insights Hub notification that the MindConnect MQTT broker certificate needs to be replaced before Monday May 20, 2024. The current certificate MindSphereRootCA1.pem will be replaced by DigiCertGlobalRootG2.crt.pem. For details visit:


Things to note:

  • You do not need to upload new X.509 certificates and generate new agent certificates. Only the broker certificate is changing.
  • Only MindConnect MQTT agents are affected. If not updated, these agents will no longer be able to connect to Insights Hub after this date.
  • Both certificates are not valid at the same time. This means you cannot replace the current certificate with the new certificate now. You will receive an error "Error: unable to get local issuer certificate".


To avoid connectivity issues and downtime, here are some options:

Option 1: If your device uses a trust store, you can add the new certificate so both current and new certificates are trusted. Visit the documentation page for some Python and Java examples.


Option 2: You can create a combined certificate by copying the content of the certificates into one. This allows seamless connection now and after the expiration. Step-by-step instructions:

  1. Download both broker certificates. See below for locations.
  2. Make a copy of the MindSphereRootCA1.pem file so you have two copies.
  3. Rename the copy to something memorable. E.g., CombinedCerts.pem
  4. Open both CombinedCerts.pem and DigiCertGlobalRootG2.crt.pem in a text editor.
  5. Copy the contents of DigiCertGlobalRootG2.crt.pem and append it to CombinedCerts.pem. Your file should look like:


    -----END CERTIFICATE-----

    -----END CERTIFICATE-----

  6. Save the file. You should have these files in your directory:
    MindSphereRootCA1.pem (original)
    DigiCertGlobalRootG2.crt.pem (original)
    CombinedCerts.pem (new combined)
  7. In your device agent, replace the use of MindSphereRootCA1.pem with the new combined certificate CombinedCerts.pem. Your agent will now be able to connect to Insights Hub now and after the current certificate expires.


For Reference:


Download current broker certificate (MindSphereRootCA1.pem):

  1. In the Asset Manager application, click the Connectivity menu and select MQTT Certificates: 
  2.  Click the Download broker certificate link to download the file:


Download new broker certificate (DigiCertGlobalRootG2.crt.pem):

  1. Visit and click the here link:mqtt_new_cert_download.png

KB Article ID# KB000131093_EN_US



Associated Components

Connectivity - Other MindConnect MQTT