This article describes how to configure TLS for Mosquitto using a self-signed certificate. I assume that Mosquitto is installed and running.
Browse to the right directory:
Generate a 3DES private key using OpenSSL and put it in the moquitto directory for certificates:
openssl genrsa -des3 -out ca.key 2048
Generate the 3DES certificates using the private key:
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Copy the certificate to the right directory:
sudo cp ca.crt /etc/mosquitto/ca_certificates/
Generate an RSA private key :
openssl genrsa -out server.key 2048
Generate the RSA public key:
openssl req -new -out server.csr -key server.key
Generate the RSA certificates using the private key:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650
Configure Mosquitto to listen for TLS connections:
cd /etc/mosquitto/conf.d nano listener.conf listener xxxx 192.168.x.x cafile /etc/mosquitto/ca_certificates/ca.crt certfile /etc/mosquitto/certs/server.crt keyfile /etc/mosquitto/certs/server.key require_certificate false
I don’t enforce the usage of a certificate.
Go to the certificates folder and give the right permissions to the generated certificates.
cd /etc/mosquitto/certs chmod 400 server.key chmod 444 server.crt chown mosquitto server*
Restart the Mosquitto service:
systemctl restart mosquitto.service
This is working for me now. However, while I was documenting this process I figured out I might have mixed up the 3DES and RSA certificates in the Mosquitto configuration. Something to look into at a later moment in time.