connect external MQTT client

How does an external MQTT client connect? I was originally trying to connect via an Adafruit MQTT library (compat w/ MQTT v3) but switched to mqtt-spy to diagnose and am seeing connection failure. It looks like the broker is exposed as a route to the service that runs TCP and SSL, so what would the complete URL be? tcp://:443? It looks like TLS is required so I downloaded the cert used by Firefox to connect to the route but that cert isn't allowing mqtt-spy to connect. Exception thrown is below:

2017-06-28 19:02:46,719 INFO  [mqtt-spy [ConnectionRunnable for mqtt-iot-ocp-ssl]] [MqttAsyncConnectionRunnable   ]  - Connecting client ID [mqtt-spy] to server [[ss
l://broker-amq-mqtt-iot-ocp.192.168.42.252.nip.io:443]]; options = 
============== Connection options ==============
CleanSession                :  true
SocketFactory               :  sun.security.ssl.SSLSocketFactoryImpl@334460d9
MqttVersion                 :  0
KeepAliveInterval           :  60
ConTimeout                  :  30
UserName                    :  iotuser
SSLProperties               :  null
WillDestination             :  null
==========================================

2017-06-28 19:02:46,920 WARN  [MQTT Con: mqtt-spy            ] [MqttConnectionResultHandler   ]  - Connecting to mqtt-iot-ocp-ssl failed
MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
        at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:664)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
        at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:93)
        at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:650)
        ... 1 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)

sabre1041 / iot-ocp

connect external MQTT client #41