1 - Setting up the PKI infrastructure

This document describes how to create and manage the certificates required for MQTT


This tutorial is assuming zou are using ubuntu and have installed easy-rsa using sudo apt-get install easyrsa

Initially setting up the infrastructure

Create a new directory and go into it, e.g.

mkdir ~/mqtt.umh.app/
cd ~/mqtt.umh.app/

Enable batch mode of easyrsa with export EASYRSA_BATCH=1

Setup basic PKI infrastructure with /usr/share/easy-rsa/easyrsa init-pki

Copy the default configuration file with cp /usr/share/easy-rsa/vars.example pki/vars and edit it to your liking (e.g. adjust EASYRSA_REQ_… and CA and cert validity)

Build the CA using export EASYRSA_REQ_CN=YOUR_CA_NAME && /usr/share/easy-rsa/easyrsa build-ca nopass. Replace YOUR_CA_NAME with a name for your certificate authority (CA), e.g., UMH CA

Create the server certificate by using the following commands (exchange mqtt.umh.app with your domain!):

/usr/share/easy-rsa/easyrsa gen-req mqtt.umh.app nopass
/usr/share/easy-rsa/easyrsa sign-req server mqtt.umh.app 

Copy the private key `pki/private/mqtt.umh.app.key` and the public certificate `pki/issued/mqtt.umh.app.crt` together with the root CA `pki/ca.crt` to the configuration of the MQTT broker.

## Adding new clients

Create new clients with following commands (remember to change TESTING with the planned MQTT client id): `export EASYRSA_REQ_CN=TESTING && /usr/share/easy-rsa/easyrsa gen-req $EASYRSA_REQ_CN nopass && /usr/share/easy-rsa/easyrsa sign-req client $EASYRSA_REQ_CN nopass`

2 - Edge networking

The UMH stack features a sophisticated system to be integrated into any enterprise network. Additionally, it forces multiple barriers against attacks by design. This document should clear up any confusion.


The factorycube (featuring the RUT955) consists out of two separate networks:

  1. internal
  2. external

The internal network connects all locally connected machines, sensors and miniPCs with each other. The external network is “the connection to the internet”. The internal network can access the external network, but not the other way around, except specifically setting firewall rules (“port forwarding”).

Example components in internal network

  • Laptop for setting up
  • Router
  • miniPC
  • ifm Gateways
  • Ethernet Cameras

Example components in external network

  • Router (with its external IP)
  • the “Internet” / server

3 - How to install an operating system from a USB-stick

This article explains how to install an operating system from a bootable USB-stick.



  1. Plug the USB-stick into the device
  2. Reboot
  3. Press the button to go into the boot menu. This step is different for every hardware and is described in the hardware manual. If you do not want to look it up you could try smashing the following buttons during booting (the stuff before the operating system is loaded) and hope for the best: F1, F2, F11, F12, delete
  4. Once you are in the boot menu, select to boot from the USB-stick

4 - How to connect with SSH

This article explains how to connect with an edge device via SSH

For Windows

For Windows we recommend MobaXTerm.

Get the free Version of MobaXTerm on https://mobaxterm.mobatek.net/download.html

MobaXTerm Session

After launching the program, open a new session by clicking on “Session” in the upper left corner.

Enter your IP, e.g. 192.168.1.XXX, in the Remote Host field. Select “Specify username”. The specific username is rancher.


Enter the password and press enter. The default password of the auto setup will be rancher. You do not need to save the password, just click No.

Successfully logged in via SSH

For Linux

For Linux you can typically use the inbuilt commands to connect with a device via SSH. Connect using the following command:

ssh <username>@<IP>, e.g., ssh [email protected].

Connect via SSH

There will be a warning saying that the authenticity of the host can’t be established. Enter yes to continue with the connection.

Warning message: The authenticity of host 'xxx' can't be established.

Enter the password and press enter. The default password of the auto setup will be rancher.

Successfully logged in via SSH

5 - How to flash an operating system onto a USB-stick

There are multiple ways to flash a operating system onto a USB-stick. We will present you the method of using balenaEtcher.


  • You need a USB-stick (we recommend USB 3.0 for better speed)
  • You need a OS image in the *.iso format. For k3OS you could choose for example this version


Download balenaEtcher: www.balena.io/etcher/

Insert USB-stick and open balenaEtcher

Select downloaded *.iso by clicking on "Flash from file" (the sceeen might look different based on your operating system)

Select the USB-stick by clicking on "Select target"

Select "Flash"

It will flash the image on the USB-stick

You are done!

These steps are also available as a YouTube tutorial from the user kilObit.

6 - Versioning in IT

This article explains how version numbers are typically structured in IT.

In IT Semantic Versioning has established itself as the standard to describe versions. It consists out of the format MAJOR.MINOR.PATCH, e.g., 1.0.0.

MAJOR is incremented when making incompatible API changes.

MINOR is incremented when you add functionality

PATCH is incremented when you make bug fixes

If the version is followed by a ‘-’ sign, then it means it is a pre-release and not stable yet. Therefore, the latest stable version means the highest version available that is not a pre-release / has no ‘-’ sign.

More information can be found in the specification of Semantic Versioning 2.0.