Skip to Content
Author's profile photo Fabian Lehmann

Connect a device to the SAP Cloud Platform Internet of Things Cloud Foundry Environment part 2

In the last blog we create a “device” in SAP Cloud Plaform IoT service, pls check also the complete series:

  • Connect a device to the IoT service part 2 (via IoT Gateway Cloud) – (this blog)

Now its time to get data…….

We want connect our real “device” (The TI Sensor Tag) to SAP Cloud Plaform IoT service, as already mentioned i using here an Raspberry PI as my bridge to IoT service.

At the RPI we using “node-RED”, which allows us on a graphical way to wiring our “TI Sensor Tag” and something more. For details please refer to the documentation.

How you can install node-RED can be found here.

At “node-RED” we need for our scenario the following “nodes” :



As we know that we connect to IoT service in a secure way by using MQTTS, “node-RED” needs therefore the “device” certificates.

Futhermore the certificates must be in the “PEM” format:

Get the certificates from IoT service

First we will download the certificates from the IoT service cockpit by clicking on the corresponding widget:

We store this “certificate” now on or local machine and extracting the archive.

After this is successfully extracted we got the following three files:


To achieve the requirement that “node-RED” needs here the “PEM” format we must do some steps:

  • Open the file an note down the password
  • Now open the “client.ks” file, i using here the “KeyStore Explorer” tool an enter the password. As result we cann now see our device cert.

  • The next step is now to export the keypair as “p.12” file, enter again the password and define now the password for this:

  • After this is successfully saved we cerate the “PEM” files by typing following openssl commands. For a detail description check pls the documentation. In short we will transform our “p12. file first into a “PEM” file and creating finally two files one with the public cert and one with the private cert:
openssl pkcs12 -in 22112211.p12 -out 22112211.pem
Enter Import Password: <pswd for the newly created p12 file>
MAC verified OK
Enter PEM pass phrase: <new pass phase for the PEM>
Verifying - Enter PEM pass phrase: <new pass phase for the PEM>

Remove the pass phrase from our “PEM” and writing also the public key:

openssl rsa -in 22112211.pem -out 22112211_priv.pem
Enter pass phrase for 22112211.pem: <the pass phrase whcih we´ve defined before>
writing RSA key
<now writing the public key (chain) into an the new pem file>
openssl x509 -in 22112211.pem >>22112211_chain.pem


If we now have a look into these two “PEM” files we can see we have our required certs for “node-RED”.

Finally i store now the CA “PEM” file from m IoT service tenant direcly from the browser.

As result we´ve now the three required files for “node-RED” to establish the connection.

Please copy now the files to a directory of your choice at the “Raspberry” and check that the “PI user” is allowed to access these files.

The node-RED modelling

In the MQTT node we must start the for connection to IoT service.

We add a new “MQTT Broker”:

Entering the required data and create a new “tls-config”:

Specify the path to our “PEM” files on the “RPI”:

If we now deploy the flow we can see that our “MQTT” node is successfully connected to IoT service:

Also we see now on the IoT service that we are now connected.


Time to connect our TI Sensortag:

For this we add the “sensorTag” node to our flow and define the required data:

Finally we create two little functions which collect the measueremenst (Air Temperature and Luminosity) from the “TI Sensor Tag” and send the data in the right format to iot service:

if (typeof msg.payload.object !== "undefined" ){

msg.payload = {"measureIds":1, "values":msg.payload.object, "logNodeAddr": "1"};

return msg;
if (typeof msg.payload.lux !== "undefined" ){

msg.payload = {"measureIds":4, "values":msg.payload.lux, "logNodeAddr": "1"};

return msg;

We connect now our nodes and as result we have now this easy and simple flow:


Check what happen in IoT service

If we go back to IoT service and press the “Real-Time Measures” widget we can hopefully see our “live data”:

An yeah whoot!……our data is now visible in IoT service ;o)

Please refere for more details to the offical documentation

If we go back to our initial screen we´ve now a working  flow from the device to IoT service via Raspberry PI:

In the next blog i will explain how we can create a device via the API of IoT service.





Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Srinivas Sistu
      Srinivas Sistu

      very nice blog.....

      Author's profile photo Marco Lampe
      Marco Lampe

      These things with the certificates should explained a little bit more. Generated certificates and the used certificates in the screenshot do not fit together.

      Author's profile photo Fabian Lehmann
      Fabian Lehmann
      Blog Post Author

      hi marco,


      ok i´ve seen you mean this step?

      openssl rsa -in 22112211.pem -out 22112211_nopass.pem

      I´ve corrected it now to the right name:

      openssl rsa -in 22112211.pem -out 22112211_priv.pem





      Author's profile photo Emilio Ayala
      Emilio Ayala


      Excelent blog and article, videos is short and perfect for me!

      Im trying with esp32 board in Arduino IDE (is very dificult compare to python connect to mqtt - tls)

      I dont know how extract CA Certificate (private, cert and CA). Could you explain how to do it?


      Author's profile photo Emilio Ayala
      Emilio Ayala


      openssl s_client -showcerts -connect someservermqtt:8883 </dev/null 2>/dev/null|openssl x509 -outform PEM >ca_cert.pem

      You must extract ROOT certified from ca_cert.pem , intermediate certificate not work (in python with paho and esp32 with arduino ide). Im use keystore explorer, and issuer is  Digicert sha2 secure server. Find in google for digicert CA Certificate, , download Digicert sha2 secure server certificate, open it with keystore explorer and the issuer is Digicert Globalroot CA, then open again with keystore explorer, extract PEM file and use as CA's in python with paho (bad practice: use ca-certificates.crt or cacert (main java trustore):

      #my_ca_cert = "/etc/ssl/certs/ca-certificates.crt"
      my_ca_cert ="/home/developer/mqtt/python/1/DigiCertGlobalRootCA.pem"
      my_key_cert = "/home/developer/mqtt/python/1/client-nuevo.private.pem"
      my_pri_cert = "/home/developer/mqtt/python/1/client-nuevo_chain.pem"
      Author's profile photo Jigyasa Sakhuja
      Jigyasa Sakhuja

      Step 1: I used Open SSL command line to connect the Node RED with the IOT services on SCP

      Step 2: I downloaded the Supplier-device_certificate.p12 certificate from the IOT service cockpit

      Step 3:Then because the certificate was of p.12 format  I changed it into .pem form because the node red only accepts .pem format certificates .for this I used this command :

      Openssl pkcs12 -in Supplier-device_certificate.p12 -out certificate.pem

      Step 4: Then after getting the certificate in .pem form. My next step was to separate the private key and certificate in two different file as the node red needs the private key and certificates differently.

      So, I did that by using these two commands:

      openssl rsa -in certificate.pem -out certificate_priv.pem

      openssl x509 -in certificate.pem >>certificate_chain.pem

      Step 5: I generated a root certificate online and converted that also in .pem format


      but still I am not able to connect the node red with the IOT cloud platform. So, can you please tell me what can I do now to make the connection between them as the node is not showing the status 'connected' instead it is showing 'connecting' after following all these steps also