Using PQC to secure MQTT with TrustEdge

This tutorial walks you through setting up a TLS 1.3 session secured by post-quantum cryptography (PQC). You will generate ML-DSA certificates with TrustEdge, configure an open-source Mosquitto MQTT broker, and run TrustEdge MQTT clients to exchange messages over a PQC-protected channel.

Before you begin

Make sure you understand the following:

You need a TrustEdge compatible device.
sudo (root) privileges on your device is needed.
The user running TrustEdge CLI commands must be a member of the trustedge group.
- Use groups "$(whoami)" to see group membership.
- Use sudo adduser "$(whoami)" trustedge to add your user to the trustedge group.
You have an understanding of TrustEdge keystore directory and permissions.
GitHub CLI to clone TrustEdge repository.

Step 1: Install TrustEdge

Download the appropriate TrustEdge release .deb package for your CPU architecture:

# 64-bit Intel/AMD (x86_64)
wget https://github.com/digicert/trustedge/releases/download/trustedge_24.7.2-2187/trustedge_24.7.2-2187.x86_64.deb

# 64-bit ARM (AArch64)
wget https://github.com/digicert/trustedge/releases/download/trustedge_24.7.2-2187/trustedge_24.7.2-2187.aarch64.deb

# 32-bit ARM
wget https://github.com/digicert/trustedge/releases/download/trustedge_24.7.2-2187/trustedge_24.7.2-2187.arm.deb

Remove any previous TrustEdge installation:
```
sudo apt remove --purge trustedge
```

Install the new package:

sudo dpkg -i trustedge_24.7.2-2187.<cpu_arch>.deb

Verify version ≥ v24.7.2-2187:
```
trustedge --version
```

Step 2: Clone TrustEdge repository

Clone the TrustEdge repository for the PQC demo tools:
```
git clone https://github.com/digicert/trustedge.git
```
Go to the pqc-demo directory:
```
cd trustedge/examples/pqc-demo
```

Step 3: Generate ML-DSA certificates

Copy the PQC demo CSR configuration files to the /etc/digicert/keystore/conf directory:
```
sudo cp ca_csr.cnf /etc/digicert/keystore/conf
sudo cp server_csr.cnf /etc/digicert/keystore/conf
```
Tip
You can automate the next steps by running the PQC demo script certGeneration.sh. If you decide to automate this process, skip to Step 4: Configure and start the MQTT broker.

Generate root CA key and certificate:

sudo trustedge certificate -a QS -g MLDSA_44 -o CA.key -x CA.crt -i ca_csr.cnf -da 3651

Generate server key and certificate signed by the root CA:

sudo trustedge certificate -a QS -g MLDSA_44 -o server.key -x server.crt -i server_csr.cnf -da 3651 -sk CA.key -sc CA.crt

Verify server and CA certificates:

sudo trustedge certificate -pc /etc/digicert/keystore/certs/server.crt
sudo trustedge certificate -pc /etc/digicert/keystore/certs/CA.crt

Copy server certificate and key to the PQC demo keystore/ directory:

sudo cp /etc/digicert/keystore/keys/server.key ./keystore/server.key
sudo cp /etc/digicert/keystore/certs/server.crt ./keystore/server.crt

Copy CA certificate and key to the PQC demo keystore/ directory:

sudo cp /etc/digicert/keystore/keys/CA.key ./keystore/CA.key
sudo cp /etc/digicert/keystore/certs/CA.crt ./keystore/CA.crt

Step 4: Configure and start the MQTT broker

Add the following MQTT server entry to your /etc/hosts configuration file:
```
127.0.0.1 mqtt-pqc-broker
```
Make start_broker.sh executable:
```
chmod +x start_broker.sh
```

Launch the MQTT broker with TLS 1.3 and ML-DSA credentials:

./start_broker.sh --cert ./keystore/server.crt --key ./keystore/server.key

Confirm broker is listening on port 8883:
```
ss -tlnp | grep 8883
```

Step 5: Run TrustEdge subscriber

Make consumer.sh executable:
```
chmod +x consumer.sh
```

Subscribe to topic pqc/secure/channel:

./consumer.sh --broker mqtt-pqc-broker --port 8883 --ca-cert ./keystore/CA.crt

You should see a “Connected” message followed by readiness to receive.

Step 6: Run TrustEdge publisher

Make publisher.sh executable:
```
chmod +x publisher.sh
```

Publish a test message to pqc/secure/channel:

./publisher.sh --broker mqtt-pqc-broker --port 8883 --ca-cert ./keystore/CA.crt

Step 7: Capture and decrypt handshake in Wireshark

You can capture MQTT traffic on the loopback interface using Wireshark. Configure Wireshark to use your (pre)-master-secret log, filter for TLS packets, and then inspect both the hybrid key-exchange parameters and the server’s PQC x.509 certificate.

Capture traffic on the loopback adapter

Open Wireshark.
Select the “lo” (loopback) interface.
Click Start to begin capture.
Reproduce your MQTT client’s connection.
Stop capture once the TLS handshake and MQTT CONNECT are complete.

Configure TLS decryption

In Wireshark, go to Edit > Preferences.
Expand Protocols, then scroll to TLS.
In (Pre)-Master-Secret log filename, browse and select demo-pqc/client_keys.txt.
Click OK.

Wireshark will now use those secrets to decrypt TLSv1.3 session data, including PQC certificates.

Filter for TLS handshake packets

At the top of the main window, set the display filter to:
```
tls
```
Press Enter.
Note
This hides non-TLS traffic, so you can focus on the handshake.

Examine the key-exchange in ClientHello

Find the ClientHello packet in the packet list.
Expand Transport Layer Security → Extension: supported_groups.
You will see two hybrid groups announced:

Hex Value	Decimal	Name	Description
0x11EC	4588	X25519MLKEM768	Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLS 1.3
0x11EB	4587	secp256r1MLKEM768	Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLS 1.3

Note

These tell the broker which PQC-hybrid key-exchange algorithms the client supports. To look up any new TLS parameter values, consult the TLS Parameters registry on the IANA website.

Inspect the server certificate

Locate the Certificate message sent by the broker.
Expand Transport Layer Security → Certificate and click on the server’s X.509 entry.
Note the Algorithm ID field: 2.16.840.1.101.3.4.3.17
Note
This Algorithm ID is the OID dot notation for ML-DSA-44, the post-quantum signature algorithm. You can see the description and ASN.1 notation at the OID repository for 2.16.840.1.101.3.4.3.17.

In this section: