Using PQC to secure MQTT with TrustEdge
4 minute read
This tutorial walks you through setting up a TLS 1.3 session secured by post-quantum cryptography (PQC). You will generate ML-DSA certificates with TrustEdge, configure an open-source Mosquitto MQTT broker, and run TrustEdge MQTT clients to exchange messages over a PQC-protected channel.
Before you begin
Make sure you understand the following:
sudo (root) privileges on your device is needed.The user running TrustEdge CLI commands must be a member of the trustedge group.
- Use
groups "$(whoami)"to see group membership. - Use
sudo adduser "$(whoami)" trustedgeto add your user to thetrustedgegroup.
Step 1: Install TrustEdge
- Download the appropriate TrustEdge release .deb package for your CPU architecture:
# 64-bit Intel/AMD (x86_64) wget https://github.com/digicert/trustedge/releases/download/trustedge_24.7.2-2187/trustedge_24.7.2-2187.x86_64.deb # 64-bit ARM (AArch64) wget https://github.com/digicert/trustedge/releases/download/trustedge_24.7.2-2187/trustedge_24.7.2-2187.aarch64.deb # 32-bit ARM wget https://github.com/digicert/trustedge/releases/download/trustedge_24.7.2-2187/trustedge_24.7.2-2187.arm.deb - Remove any previous TrustEdge installation:
sudo apt remove --purge trustedge - Install the new package:
sudo dpkg -i trustedge_24.7.2-2187.<cpu_arch>.deb - Verify version ≥ v24.7.2-2187:
trustedge --version
Step 2: Clone TrustEdge repository
- Clone the TrustEdge repository for the PQC demo tools:
git clone https://github.com/digicert/trustedge.git - Go to the
pqc-demodirectory:cd trustedge/examples/pqc-demo
Step 3: Generate ML-DSA certificates
- Copy the PQC demo CSR configuration files to the
/etc/digicert/keystore/confdirectory:sudo cp ca_csr.cnf /etc/digicert/keystore/conf sudo cp server_csr.cnf /etc/digicert/keystore/confTip
You can automate the next steps by running the PQC demo scriptcertGeneration.sh. If you decide to automate this process, skip to Step 4: Configure and start the MQTT broker. - Generate root CA key and certificate:
sudo trustedge certificate -a QS -g MLDSA_44 -o CA.key -x CA.crt -i ca_csr.cnf -da 3651 - Generate server key and certificate signed by the root CA:
sudo trustedge certificate -a QS -g MLDSA_44 -o server.key -x server.crt -i server_csr.cnf -da 3651 -sk CA.key -sc CA.crt - Verify server and CA certificates:
sudo trustedge certificate -pc /etc/digicert/keystore/certs/server.crt sudo trustedge certificate -pc /etc/digicert/keystore/certs/CA.crt - Copy server certificate and key to the PQC demo
keystore/directory:sudo cp /etc/digicert/keystore/keys/server.key ./keystore/server.key sudo cp /etc/digicert/keystore/certs/server.crt ./keystore/server.crt - Copy CA certificate and key to the PQC demo
keystore/directory:sudo cp /etc/digicert/keystore/keys/CA.key ./keystore/CA.key sudo cp /etc/digicert/keystore/certs/CA.crt ./keystore/CA.crt
Step 4: Configure and start the MQTT broker
- Add the following MQTT server entry to your
/etc/hostsconfiguration file:127.0.0.1 mqtt-pqc-broker - Make
start_broker.shexecutable:chmod +x start_broker.sh - Launch the MQTT broker with TLS 1.3 and ML-DSA credentials:
./start_broker.sh --cert ./keystore/server.crt --key ./keystore/server.key - Confirm broker is listening on port 8883:
ss -tlnp | grep 8883
Step 5: Run TrustEdge subscriber
- Make
consumer.shexecutable:chmod +x consumer.sh - Subscribe to topic
pqc/secure/channel:./consumer.sh --broker mqtt-pqc-broker --port 8883 --ca-cert ./keystore/CA.crt - You should see a “Connected” message followed by readiness to receive.
Step 6: Run TrustEdge publisher
- Make
publisher.shexecutable:chmod +x publisher.sh - Publish a test message to
pqc/secure/channel:./publisher.sh --broker mqtt-pqc-broker --port 8883 --ca-cert ./keystore/CA.crt
Step 7: Capture and decrypt handshake in Wireshark
You can capture MQTT traffic on the loopback interface using Wireshark. Configure Wireshark to use your (pre)-master-secret log, filter for TLS packets, and then inspect both the hybrid key-exchange parameters and the server’s PQC x.509 certificate.
Capture traffic on the loopback adapter
- Open Wireshark.
- Select the “lo” (loopback) interface.
- Click Start to begin capture.
- Reproduce your MQTT client’s connection.
- Stop capture once the TLS handshake and MQTT CONNECT are complete.
Configure TLS decryption
- In Wireshark, go to Edit > Preferences.
- Expand Protocols, then scroll to TLS.
- In (Pre)-Master-Secret log filename, browse and select
demo-pqc/client_keys.txt. - Click OK.
Wireshark will now use those secrets to decrypt TLSv1.3 session data, including PQC certificates.
Filter for TLS handshake packets
- At the top of the main window, set the display filter to:
tls - Press Enter.
Note
This hides non-TLS traffic, so you can focus on the handshake.
Examine the key-exchange in ClientHello
- Find the ClientHello packet in the packet list.
- Expand Transport Layer Security → Extension: supported_groups.
- You will see two hybrid groups announced:
| Hex Value | Decimal | Name | Description |
|---|---|---|---|
| 0x11EC | 4588 | X25519MLKEM768 | Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLS 1.3 |
| 0x11EB | 4587 | secp256r1MLKEM768 | Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLS 1.3 |
Note
These tell the broker which PQC-hybrid key-exchange algorithms the client supports. To look up any new TLS parameter values, consult the TLS Parameters registry on the IANA website.Inspect the server certificate
- Locate the Certificate message sent by the broker.
- Expand Transport Layer Security → Certificate and click on the server’s X.509 entry.
- Note the Algorithm ID field:
2.16.840.1.101.3.4.3.17Note
This Algorithm ID is the OID dot notation for ML-DSA-44, the post-quantum signature algorithm. You can see the description and ASN.1 notation at the OID repository for 2.16.840.1.101.3.4.3.17.