1. Get MQTT (like mosquitto) operating with SSL - use http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt as your primary guide to building out your self-signed CA cert and your server cert and key. Simply follow their directions with the one caveat of setting IPLIST and HOSTLIST environment variables prior to executing the generate-CA.sh script. This will be necessary for hosted environments like AWS where the actual IP address of the system cannot be used to access the server from the internet. Put the external facing IP address in IPLIST and the external facing fully qualified domain name (FQDN) into HOSTLIST. If you have multiple usable ip addresses or hostname aliases, enclose them in quotes and separate them with spaces  (export IPLIST="")
  2. Complete steps 1-3 in the instructions above. This is sufficient to get the MQTT traffic encrypted and use it with Thingworx. Do not proceed until you can make a mosquitto_pub and mosquitto_sub pass data using the --cafile option and get an error if you do not supply the --cafile option. Make sure you have a copy of the ca.crt file generated by the script above to reference in the commands. Note that it may be necessary to use the ip address rather than the FQDN.
    1. mosquitto_sub --cafile path/to/ca.crt -h ipaddr -t topic
    2. mosquitto_pub --cafile path/to/ca.crt -h ipaddr -t topic -m message
  3. Create an MQTT Thing in Thingworx based on the MQTT ThingTemplate.
  4. Create a property in the new thing for sending messages to the MQTT broker.
  5. In the configuration page for the new MQTT Thing, set the serverName, serverPort and check the useSSL checkbox.
  6. In the Property to MQTT topic mappings, create a publish entry that points to the property you created in the thing and set the topic to the mqtt topic on which you want to publish .
  7. The ca.crt file created in the above script is the certificate for a new Certificate Authority (self-signed, so not really official). Clients may have to import this certificate into their trusted CA Root store in order to make the encryption work.
  8. Add the ca.crt file from the mqtt broker system to a keystore file that will become tomcat's truststore (the list of CAs trusted by the server). See the Tomcat documentation if you need to configure https on tomcat as well. Create a new keystore if one does not already exist as a truststore.
    1. keytool -import -trustcacerts -file /path/to/ca/ca.crt -alias CA_ALIAS -keystore path/to/TrustStore -storepass mypassword).

Replace the CA_ALIAS with some identifying string like MyPrivateCertificateAuthority. It did not appear to care about the CA_ALIAS value used.

Replace path/to/truststore to point to the file that already exists or you want to create.

  1. Add the following to the CATALINA_OPTS for starting tomcat
    1. -Djavax.net.ssl.trustStore=path/to/TrustStore" 
    2. -Djavax.net.ssl.trustStorePassword=xxxx

Replace path/to/TrustStore with the pathname of the file you created / updated with keytool above.

Replace xxxx with whatever password you used in the keytool command above


  1. Restart tomcat.
  2. Check the mqtt Thing for its isConnected property. It should now be true. If it is not, then check the log files for mosquitto and for tomcat looking for SSL issues.
  3. Change the property value and see it appear in the output of a (properly constructed) mosquitto_sub --cafile path/to/TrustStore -t test somewhere.