IoT device firmware development guideline?


I’m developing my own device (let say a kind of sensor) and writing a firmware for it using Arduino libraries. I want to connect this device to your IoT platform, because it looks very promising, but apparently I need some guidance for that.
Suppose I installed OpenRemote software locally on my computer, and my sensor should communicate with it via public internet connection.

There are my questions:

  • Where can I find some specification or guide I should follow in my firmware to establish communication with OpenRemote software stack? In particular, what is the preferred way to make this connection secure?
  • Is there some example firmware project which I could use as template, something like this one for IBM Watson IoT Platform?
  • Is it possible to implement Over-The-Air Firmware Update feature for my device using OpenRemote?



If you want your device to establish a connection to OpenRemote then like the IBM IoT example you posted then MQTT is the way to go, there’s details here:

We’ll be updating these pages the next few days as they are a bit too cryptic and difficult to follow at the moment. Some simple steps:

  1. Create an instance of the ClientEventProtocol (this behind the scenes generates an OAuth client to allow you to programmatically authenticate with OpenRemote).
  2. Add an asset to the manager using the UI either using one of the existing asset types or creating a Thing and customising the attributes that it would have
  3. For each attribute that you want to access via MQTT you need to add a configuration item called Agent Link where the value should be as follows with the correct asset id inserted into the json:

You’ll then hopefully be able to follow the MQTT guide.

1 Like

i followed all instructions, but I’m not able to connect to the mqtt broker (MQTTX tool on windows).

I used the docker-compose.yml from the get started section on github → all docker containers up and running. I can access openremote manager UI & keycloak admin console.

I created a ClientEventAgent and try to make a mqtt connection with MQTT client (since esp32 can’t connect) for testing.
But i can’T login into openremote. What is wrong in my setup?
It would be great if you have a hint.
Thank you very much.

Please see this post:

Hi Al and Ziro,
We have just added a method for auto provisioning devices you are developing yourself (eg. based on ESP32). Using certification through X.509 or HMAC you can provision an automated connection which first creates a service user and subsequently creates an Asset in OpenRemote. User Guide: Auto provisioning

Hi @Pierre,

I am really interested on this concept because I have developed devices myself based on the ESP32. But there are several things I can’t figure out in the user guide. Perhaps you could clarify a bit more for me.

When creating a new provisioning configuration a CA Certificate (PEM) should be filled in. What should be filled in here? I can’t seem to find any information about CA certificates.

In section “Connect flow” there is an image that states “subscribe to ‘provision/UNIQUE_ID/response’”. I tried it as an API request. I got a 404Not Found as response. And if I use /provisioning I got empty response back. So where should I use provision/UNIQUE_ID/response to subscribe and the UNIQUE_ID is given by the client so it could be ‘1’ or ‘unique_id_1’ ?

I hope you could help me,

Thank you in advance


The CA Certificate is the certificate authority (signing authority) for your device certificates in standard PEM format. This can be a self signed CA certificate or one from a trusted CA.

At the bottom of the wiki page is a link which describes cert generation.

There is also an extensive test in our codebase which covers this functionality (even if not familiar with java & groovy you should be able to read along the when-then statements):

Provisioning Test

This test uses self signed device and CA certificates also in the code base:

Provisioning Test Certificates

The endpoints (provisioning/UNIQUE_ID/response and provisioning/UNIQUE_ID/request) shown in the diagram are MQTT topics not HTTP endpoints.

Thanks for the answer, I’ll have to wrap my head around it and dig in deeper to understand it fully. But this gives me a good starting point.

Hi Rich,

After some trying to understand, I am left with some question.

At Certificate Generation it is described on how to create a certificate, and make it work in three steps. Step one I managed to do based on this link:

But step 2 and 3 are not really clear to me.

  1. The certificate should then be signed by an intermediate CA.

Is this that we should sign our CA certificate to an approved organization? Or is it also possible to do it our self/ make use Certbot?

  1. The intermediate CA certificate is then uploaded into OpenRemote within a Realm config instance

This upload I expected to be at the Provisioning configurations in the CA Certificate (PEM), or should this upload be done in Keycloak?

Thanks again


The first certificate you are generating in the linked article is a CA certificate which means it can be used to then sign other certificates.

I don’t believe you can use certbot to generate CA certificates so if you wanted properly signed certificates you would need to buy a CA certificate from a trusted CA.

The article describes creating self signed certificates (both CA certificate and then client leaf certificates from this self signed CA certificate).

Having certificates that are signed by a trusted CA is only a requirement if your devices are connecting to some other service that requires this, self signed will work fine with OpenRemote; obviously your CA certificate private key must be stored securely as anyone with it could generate their own client certificates.

Hope this helps.


Hi Rich,

Thanks for your help it indeed gave me a lot of insights. I got the CA certificates signed, and tried to add the content that was generated in .pem format to the Provisioning configurations.

Although this seems to work, I can’t seem to connect and get a response from the server. provisioning/1/request is the topic I used with

{ "type": "x509", "cert": "..." }

as payload. I can’t seem to get a response.

I tried several thinks:
Change the topic to :{realm}/{clientId}/writeattribute/provisioning/1/request
Connect to the newly created Provisioning configurations within the mqtt configuration so change username to: {realm}:{username} without password.

As well as I tried to add assets template into Provisioning configurations, followed the layout from the example in the wiki. Even a simple json assets addition won’t be saved.

I am missing something?

Thanks for your help again. :innocent:

Are you also subscribing to the response topic provisioning/1/response this is where any response to provisioning requests are published, it should indicate success or error.

Hi Rich,

This did the job indeed, I got the connection working with the MQTTX application.

After several days of trying to get a connection with the esp32, I can’t seem to get it to work.

I am able to ping the 8884 port of the server. But when I try to connect with several different examples, and writing my own code nothing works to connect the esp32.

Is there some config I have to edit within openremote to be able to connect the esp32 to openremote mqtts?

Thanks in advance again :slight_smile:

Hi Xander,

Glad to hear you’ve got things working. As for the ESP32 we have a project where the customer is connecting ESP32 boards to the MQTT broker over TLS and the SSL cert DB that espressif has is not up to date and the recent letsencrypt root cert expiration issue has caused problems. I believe they ended up embedding the current letsencrypt CA chain to get it working.

Hi Rich,

I got it to work with the PubSubClient and WiFiClientSecure library. So thank you for all the help on this topic!

Thanks, Rich, for sharing the info on implementing TLS on your MQTT project.

1 Like

And I found a comprehensive article that’s just to the point. It might be useful for your project, too:е/. It explains how to configure TLS and certificate-based authorization for Mosquitto MQTT broker. The article includes four steps you need to make:
Setting up Mosquitto and Management Center.
Running caddy reverse proxy.
Configuring Eclipse Mosquitto to use a secured listener for MQTT connections.
Testing Test the TLS over MQTT connection.

1 Like