Menu

TLS & Security

Securing the connection between your device and the OhioIoT broker.

TLS is on by default

The Minimalist SDK connects over TLS by default. This means all MQTT traffic between your ESP32 and the OhioIoT broker is encrypted — credentials, topics, and payloads are not visible to anyone on the network.

TLS requires two things on the device side: the correct broker port (8883) and a CA certificate file.

Setting up ca_cert.h

The CA certificate tells your ESP32 how to verify the broker's identity. Download it from your OhioIoT dashboard and place it in config/config/ca_cert.h:

#pragma once

const char CA_CERT[] PROGMEM = R"EOF(
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQON...
(your full certificate content here)
...nRFy0Q0nN2bEhp2mRTSF3T8=
-----END CERTIFICATE-----
)EOF";

The R"EOF(...)EOF" syntax is a C++ raw string literal — it lets you paste the certificate as-is without escaping newlines. The PROGMEM attribute stores it in flash memory instead of RAM, which matters on memory-constrained devices.

The certificate must include the full chain — typically just the root CA certificate. If you're not sure which one to use, the OhioIoT dashboard provides the exact file you need.

Disabling TLS for development

During development, you might want to skip TLS to simplify debugging or to connect to a local broker. Uncomment the build flag in platformio.ini:

build_flags =
    -DALLOW_INSECURE_MQTT

And change your port to the non-TLS port:

#define MQTT_PORT   1883    // non-TLS
// #define MQTT_PORT   8883  // TLS (default)

When this flag is set, the SDK uses a plain WiFiClient instead of WiFiClientSecure, and the ca_cert.h file is not required.

Never ship insecure MQTT to production. Without TLS, your MQTT username and password are transmitted in plain text. The insecure flag exists purely for local development and testing.

MQTT credentials

Your MQTT username and password authenticate your device with the broker. They're separate from your OhioIoT account login — you create them in the Settings page of the dashboard.

Store them in config/config/credentials.h:

#define MQTT_USER   "larry"
#define MQTT_PASS   "your_mqtt_password"

All devices on your account use the same MQTT username and password. The username is also the first segment of every topic, which is how the broker enforces tenant isolation — you can only publish and subscribe to topics that start with your own username.

Add credentials.h and ca_cert.h to your .gitignore immediately. These files contain secrets that should never be committed to version control.

Quick reference

ModePortBuild flagca_cert.h
TLS (default)8883(none)Required
Insecure (dev only)1883-DALLOW_INSECURE_MQTTNot needed