12,14d11
< import java.io.BufferedInputStream;
< import java.io.FileInputStream;
< import java.io.IOException;
23,31d19
< import java.security.KeyManagementException;
< import java.security.KeyStore;
< import java.security.KeyStoreException;
< import java.security.NoSuchAlgorithmException;
< import java.security.PrivateKey;
< import java.security.UnrecoverableKeyException;
< import java.security.cert.CertificateException;
< import java.security.cert.CertificateFactory;
< import java.security.cert.X509Certificate;
39,43d26
< import javax.net.ssl.KeyManagerFactory;
< import javax.net.ssl.SSLContext;
< import javax.net.ssl.SSLSocketFactory;
< import javax.net.ssl.TrustManagerFactory;
< 
154d136
<   public static final String OPCUA_SERVER_KEY_PASSWORD = "opcua";
189,190d170
<     opts.addOption("C", "ca-cert", true,
<         "CA Certificate PEM file used by the mqtt endpoint");
332d311
<   private String mqttCaCertFile;
401c380
<   
---
> 
484,486d462
<       mqttCaCertFile = cmd.getOptionValue("C", null);
<       logger.info("mqttCaCert: {}", mqttCaCertFile);
<       
764c740
<     
---
> 
786d761
<       b.setSocketFactory(getSocketFactory(application, mqttCaCertFile, OPCUA_SERVER_KEY_PASSWORD));
799,843d773
<   private SSLSocketFactory getSocketFactory(UaApplication application, final String caCrtFile, final String password) {
< 		
< 		try{
< 			// load CA certificate
< 			X509Certificate caCert = null;
<       FileInputStream fis = new FileInputStream(caCrtFile);
< 			BufferedInputStream bis = new BufferedInputStream(fis);
< 			CertificateFactory cf = CertificateFactory.getInstance("X.509");
< 
< 			while (bis.available() > 0) {
< 				caCert = (X509Certificate) cf.generateCertificate(bis);
< 			}
< 
<       //Load server certificate and private key 
< 			X509Certificate cert = application.getApplicationIdentity().getCertificate().getCertificate();
< 			PrivateKey key = application.getApplicationIdentity().getPrivateKey().getPrivateKey();
< 
< 			// CA certificate is used to authenticate server
< 			KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
< 			caKs.load(null, null);
< 			caKs.setCertificateEntry("ca-certificate", caCert);
< 			TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
< 			tmf.init(caKs);
< 
< 			// client key and certificates are sent to server so it can authenticate us
< 			KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
< 			ks.load(null, null);
< 			ks.setCertificateEntry("certificate", cert);
< 			ks.setKeyEntry("private-key", key, password.toCharArray(), new java.security.cert.Certificate[]{cert});
< 			KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
< 			kmf.init(ks, password.toCharArray());
< 
< 			// finally, create SSL socket factory
< 			SSLContext context = SSLContext.getInstance("TLSv1.2");
< 			context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
< 
< 			return context.getSocketFactory();
<       
< 		}catch(IOException | CertificateException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | KeyManagementException  e){
< 
< 			throw new RuntimeException("Unable to create SSL Context to connect to MQTT endpoint", e);
< 
< 		}
< 	}
<