TLS & Security
Securing the connection between your device and the OhioIoT broker.
TLS is on by default
The Minimalist SDK connects over TLS by default. This means all MQTT traffic between your ESP32 and the OhioIoT broker is encrypted — credentials, topics, and payloads are not visible to anyone on the network.
TLS requires two things on the device side: the correct broker port (8883) and a CA certificate file.
Setting up ca_cert.h
The CA certificate tells your ESP32 how to verify the broker's identity. Download it from your OhioIoT dashboard and place it in config/config/ca_cert.h:
#pragma once
const char CA_CERT[] PROGMEM = R"EOF(
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQON...
(your full certificate content here)
...nRFy0Q0nN2bEhp2mRTSF3T8=
-----END CERTIFICATE-----
)EOF";The R"EOF(...)EOF" syntax is a C++ raw string literal — it lets you paste the certificate as-is without escaping newlines. The PROGMEM attribute stores it in flash memory instead of RAM, which matters on memory-constrained devices.
Disabling TLS for development
During development, you might want to skip TLS to simplify debugging or to connect to a local broker. Uncomment the build flag in platformio.ini:
build_flags =
-DALLOW_INSECURE_MQTTAnd change your port to the non-TLS port:
#define MQTT_PORT 1883 // non-TLS
// #define MQTT_PORT 8883 // TLS (default)When this flag is set, the SDK uses a plain WiFiClient instead of WiFiClientSecure, and the ca_cert.h file is not required.
MQTT credentials
Your MQTT username and password authenticate your device with the broker. They're separate from your OhioIoT account login — you create them in the Settings page of the dashboard.
Store them in config/config/credentials.h:
#define MQTT_USER "larry"
#define MQTT_PASS "your_mqtt_password"All devices on your account use the same MQTT username and password. The username is also the first segment of every topic, which is how the broker enforces tenant isolation — you can only publish and subscribe to topics that start with your own username.
credentials.h and ca_cert.h to your .gitignore immediately. These files contain secrets that should never be committed to version control.