TLS Config Skill

TLS certificate configuration: test certificates, production setup, backend selection (OpenSSL vs MbedTLS), and Let's Encrypt.

Invoke with: /tls-config

Pre-Built Test Certificates

The ioto/certs/dist/ directory provides ready-to-use test certificates:

File	Description
`ca.crt`, `ca.key`	Certificate Authority (signs test.crt)
`test.crt`, `test.key`	CA-signed server certificate
`self.crt`, `self.key`	Self-signed certificate
`ec.crt`, `ec.key`	Elliptic curve certificate (prime256v1)
`aws.crt`	AWS IoT root CA

These are for development only — never use in production.

TLS Configuration

json5

{
    tls: {
        authority: '@certs/roots.crt',
        certificate: '@certs/test.crt',
        key: '@certs/test.key',
    },
}

Generating Test Certificates

bash

make -C ioto/certs                   # Generate all test certs
make -C ioto/certs self-signed-cert  # Self-signed certificate
make -C ioto/certs test-cert         # CA-signed test certificate
make -C ioto/certs ec-cert           # Elliptic curve certificate
make -C ioto/certs cert-request      # Generate CSR for external CA
make -C ioto/certs BITS=4096 DAYS=365  # Custom key size and validity

Production Certificates

Let's Encrypt (Recommended)

bash

certbot certonly --standalone -d your-device.example.com

json5

{
    tls: {
        authority: '/etc/letsencrypt/live/your-device.example.com/chain.pem',
        certificate: '/etc/letsencrypt/live/your-device.example.com/fullchain.pem',
        key: '/etc/letsencrypt/live/your-device.example.com/privkey.pem',
    },
}

External CA

Use make -C ioto/certs cert-request to generate a CSR, submit to your CA, then install the signed certificate.

TLS Backend Selection

bash

# OpenSSL (default, recommended for desktop/server)
ME_COM_OPENSSL=1 ME_COM_MBEDTLS=0 make

# MbedTLS (recommended for ESP32 and constrained devices)
ME_COM_MBEDTLS=1 ME_COM_OPENSSL=0 make

Backend	Best For	Notes
OpenSSL	Linux, macOS, servers	Full feature set, required for OpenAI
MbedTLS	ESP32, FreeRTOS, constrained	Smaller footprint, embedded-friendly

Web Server HTTPS

json5

{
    web: {
        endpoints: [
            { address: ':443' },
            { address: ':80' },
        ],
    }
}

MQTT TLS

json5

{
    mqtt: {
        authority: '@certs/aws.crt',
    },
}

Files

AI Skills

OpenAI

Database

URL HTTP Client

Safe Runtime

Web Server

Configuration

Authentication

Man Pages

TLS Config Skill

Pre-Built Test Certificates

TLS Configuration

Generating Test Certificates

Production Certificates

Let's Encrypt (Recommended)

External CA

TLS Backend Selection

Web Server HTTPS

MQTT TLS

Configuration

Authentication

TLS Config Skill ​

Pre-Built Test Certificates ​

TLS Configuration ​

Generating Test Certificates ​

Production Certificates ​

Let's Encrypt (Recommended) ​

External CA ​

TLS Backend Selection ​

Web Server HTTPS ​

MQTT TLS ​

TLS Config Skill

Pre-Built Test Certificates

TLS Configuration

Generating Test Certificates

Production Certificates

Let's Encrypt (Recommended)

External CA

TLS Backend Selection

Web Server HTTPS

MQTT TLS