Skip to content


MindConnect MQTT Broker Certificate Expiration

  1. What is the reason behind this change?
    Adhering to company wide security policy, we are required to switch to DigitCert.

  2. When will the certificate be replaced?
    The planned time is on 20th May at 14:30 UTC.

  3. How long will the update take?
    The certificate update is going to take maximum of 30 minutes.

  4. How often will the certificate change happen in the future? Every one year, two years or not happen for 10 years?
    Basically, we update our internal certificates once in a year. However, as there is no impact on the customer, we have not shared any notification so far. But this change is different than the earlier ones. This time, the certificate type is going to be changed and it has an impact on the customer. Once the type is changed, we anticipate no impact on the customer end for the future changes.

  5. Do all the MindConnect MQTT users need to take the action? Like Windows PCs, the client device may hold all the popular CA’s root certificates. Will the action still be required?
    Yes, this change affects all customers.

  6. Do Agent (Device) certificate and keys need to be updated?
    No, there will be no impact on agent certificates. Only the root certificate for connection will change and the new one should be downloaded from the UI and used for connection.

  7. If I am a Python code user, replacing MindSphereRootCA1.pem with server_combined.pem work fine with adjusting file name?
    Yes, based on our sample code on documentation (MindConnect MQTT Broker Certificate Expiration), on Python code, a combined certificate can be created by copying both certificates into one certificate file then replacing the previous file name with the new combined one.

  8. If I am a java code user, can I use the combined certificate instead of using keyStore.setCertificateEntry for both CA’s?
    No. Based on our sample code on documentation (MindConnect MQTT Broker Certificate Expiration), on Java code, a combined certificate cannot be used. It should make use of trust store by storing old and new certificates in it. Please also note that this is only our suggested solution. We have created this documentation by our own investigations. Since we do not have any authority on Client end, if you would like to take some different approach, you could investigate some other solutions.

  9. Is there anyway to check the new certificate connection before 20th May – 14:30 UTC?
    No. You cannot use the new certificate before that date. Broker supports only one certificate at a time. So, before 20th of May, use the current (QuoVadis) certificate and after the replacement, switch to the new certificate (DigiCert).

Last update: April 30, 2024

Except where otherwise noted, content on this site is licensed under the Development License Agreement.