Mosquitto

p:: MQTT f:: Homebrew

brew install mosquitto

---

• Mosquitto SSL Configuration -MQTT TLS Security
  • mosquitto-tls — Configure SSL/TLS support for Mosquitto

Overview of Steps

1. Create a CA key pair
2. Create CA certificate and use the CA key from step 1 to sign it.
3. Create a broker key pair don’t password protect.
4. Create a broker certificate request using key from step 3
5. Use the CA certificate to sign the broker certificate request from step 4.
6. Now we should have a CA key file,a CA certificate file, a broker key file, and a broker certificate file.
7. Place all files in a directory on the broker e.g. certs
8. Copy the CA certificate file to the client.
9. Edit the Mosquitto conf file to use the files -details below
10. Edit the client script to use TLS and the CA certificate. -details below

sudo su

1. Create a CA key pair

Note: it is OK to create a password protected key for the CA.

openssl genrsa -des3 -out ca.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)
...............+++++
....................+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

cat ca.key

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,08A483C22291E4C2
 
DoJDfG3Hmc6pgKHIeB5TkusHipcUThmC3xZxl96soerJmf8H+Vw//p9q+ffeesNP
kduCKuLJS0kKbs4kZPL+uIswPbADA3NlufGW28REu2ingp6994qfBWPpM76rAyX8
VUJPKq8vMU4uTO/bDQONKrkhG2FGhrvQyNIX9Srfwz0gWRxNsf+zq05C9+ydM5D3
J1FSchM7Cgu4Mvmof2/gkEFrUJ7tfoQiLW1Bt1tluxO2rH6J1mnlzScxN0cd1E9N
9ErWNnscRsE3zbOmh5cyCKUiCkUdAUzA5ZOd9BkVRJpq9CatretHZhgWObGKAFo/
s01eoI8aOyNmM2Uty+dFhBfsU8WDChWztVpARrKRebUTWB/QUFYAWwifu1bSDX+L
XckJDHwl3w42MjZwb8ODVqYDAuwUOfTmq2H/XnB/DM2laQMG7T0z6d5vN8rYf8GF
Qj8yHNW9ueRDJYxjm0qdGBCoJ4tWjiElwB2L7DpgCvQ47RM5AL0PUsoSKMSd4wwQ
rSl6E0cJjIA3d+YP7546N+uaCAfcMx1nEPulGEP7g69PpHkQD3Ki5VNdhzqyqVQZ
Q7zm49TInhOViJPRA76BKSGDuUMWVZZtAzwh0TvR+/+h+GsUZvxPpu00xh+ZOCqG
IeDNtgcvuB+Rzxqx4s2G7MMll9CqNeBMwhqW7t4nvT2YZycd2es0fE4uJS0KypvW
h/sNxoQqemVW0CIKh7VCKfrfTkjdLUnNFoNTeiPWXUgNNiBCoj8RcHVIDhQyvYQE
VVOZYpf5cU19Xi9bEwndxG9Tm0g3EmPOE3DQp1B8CeBBFtgqi1Mv3eMpAA4vtkeE
lVofxadN5u9WBX/nYntdYScfVahcuTLk8ppeKrj48l6cRv/KazsUY7JS06HRQE9W
LmXPCJ1hq3+dRp0hPlrYz2NNaxVTZbROArmT00VnlvjRqOWXYt8NX5Yz9Sd1jHZh
jHCTk28IDjQqxP78ca8ZujsYyDspTGYLz1yqX/PJFA68nB3hAQV2tJjeP/ucR8w2
zBV9s4fKO+5hQ08GVEod+lPi7OjJNnRi4Fd7BMMx6dPcPeS8DQ2rws96sLmB5rfY
3yhmf+2sYu5uQloQXswUdkyD+fLJfR3nz4KkC3dqUSIuPlI0qDsECkKbALSlPfdj
o8BzoAVGHCvSFuw+/s8ouQ53JPvVU1qwOJ5fAwcLAhR7UWRelvEIGUBbtnN/46hW
noxm4Ca1acjKQNXS5yadhVESxYsHVVKLlygg3e68aH9tfOYxbmMl/KRKmy3iHHnp
x0mpBaFzNoaWI8sRlhJJIhiviW7Z4FvhVL+67VQc9X10THzocTvmkukG0dc+rawx
nx9c27FmsvRI8VG2QzYyjmg0lfk0B8KJG2o6Vh/Tc/NaSee0+NPt2J2LJ4PYTP/T
cPHitQFq5T9StFoZN0BeM3adUH62lIyDU6baOm7nuvrhjDv9U01EWI4zk7I5vKwj
/uH5wDpRJzQS9ugEZDehzWE5AslQgMyQtO0PVvCIY6f9bv1+SybxaMAz8ZjeyVmM
g6mlZ3k0GcyRMTevwSYQS64KOLJLVpdMHXRJ0zje7gEC7/SFHmj/8A==
-----END RSA PRIVATE KEY-----

2. Create CA certificate and use the CA key from step 1 to sign it

openssl req -new -x509 -days 36500 -key ca.key -out ca.crt

Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TamilNadu
Locality Name (eg, city) []:Chennai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

cat ca.crt

-----BEGIN CERTIFICATE-----
MIID+TCCAuGgAwIBAgIUV5P3Sv8ExN277BYhAAyfgu/8nUQwDQYJKoZIhvcNAQEL
BQAwgYoxCzAJBgNVBAYTAklOMRIwEAYDVQQIDAlUYW1pbE5hZHUxEDAOBgNVBAcM
B0NoZW5uYWkxEDAOBgNVBAoMB0FkbWF0aWMxETAPBgNVBAsMCFJvYm9DaGVmMQsw
CQYDVQQDDAJiMTEjMCEGCSqGSIb3DQEJARYUYWRpdGh5YS5qQGFkbWF0aWMuaW4w
IBcNMjExMDE4MDU0NzI5WhgPMjEyMTA5MjQwNTQ3MjlaMIGKMQswCQYDVQQGEwJJ
TjESMBAGA1UECAwJVGFtaWxOYWR1MRAwDgYDVQQHDAdDaGVubmFpMRAwDgYDVQQK
DAdBZG1hdGljMREwDwYDVQQLDAhSb2JvQ2hlZjELMAkGA1UEAwwCYjExIzAhBgkq
hkiG9w0BCQEWFGFkaXRoeWEuakBhZG1hdGljLmluMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA2WFaosUJE0go8os7XuYIwO0vHm7FBAU7liuUEDnJsKiv
72yD92Mnl6yPvSRBBZ368l7OEBbhX8yV9S8gsqs5NXTH5djgE3Xf1cdkXtxPJP45
/PYECZJBBeWsnbS8+LgCPPz6+egFmGfkzPVNfGTxiL8ZdqSs3wxZkDzVaXzn4b2h
VYxBQLzkOVbo7K9DH222d+5a/KaxcIafJ2oVQgiaYNwErkeBd26nknWuy6XgAUQs
vHa4LAOSOQnJJTL4R2R6LsRaFiQZfDHk1lnAEUYqpT5wTMD7Nn09i8Q2ZJ4WOf3d
LglcfR6LBQXZJg0dbwze3rtEn9z48fLjeSTUixkshQIDAQABo1MwUTAdBgNVHQ4E
FgQUBkAqTbYi2lthpRv0QUXK0Plq3RMwHwYDVR0jBBgwFoAUBkAqTbYi2lthpRv0
QUXK0Plq3RMwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAm3DJ
MZvZ/tsUY+rbdrdIS6XhcNlAjRx69ioVgt4B+jwodSzTYrVdXrLR7uQvBbICwA5b
gsY8UlH09O0QXQCeUwImneDogV1CFXO79OVZ2xq4L0Y1ky4pUAX4ASPDNul6WmUz
cEP3Kfau90BhjgGoFZrx5G3d/YRzpvS0hqW3QBndrc01ErOaV/7ci6F13JyCr+eh
dV+2G5yp5cl/bL07+FHjAUB/dfsc1nNqO76OB9FVWkF0m/cH0ZTu66/D72Uzy7CF
OFRTx6PmsclcjLsnPaUQ9nP8y3J7UW7+VFRXSxHHQLgBVZ84RsZlsDHWhugYAPpT
xAEOLP/hoj9GU8kyDg==
-----END CERTIFICATE-----

3. Create a broker key pair. don’t password protect

openssl genrsa -out server.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
..................................................................................................+++++
e is 65537 (0x010001)

cat server.key

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwnRPLaVzUquu9Jw6w1RPn7eLKUS/F3SyQazLR3Tg7pIl96zw
oYhsCV8y6Lhp/U9k8vPAkFCWc1Da2oo50zf4VJ9Kw6ezy39xbpEPG6NbpgZfcpNx
yDn0JyA13/pSvT5TclOgYtvFlhRZfuguxWfDIkGXKLy7IaVOwQWuuk3eeGzJVcmH
YaHURyxKPdLNtjFsolyZBQp8Kc+BoNMb7yBatyX2F84huzqAdJwSay52bBEv6K3C
ZrfEv1rHyX4Qo9f+HCRRBxqpoIplJO8XWmk1WL4rS1xNMsLQBUM9yWMaVLd/BgyS
VCJOyoY+wRq3MJVLa76jZ/6vSFQLw8L8n65xUwIDAQABAoIBAQCHhZ4lNvkftc2y
ZyvBNIJl0vqm4WW4yDjv8qid/YRCYRMbAamXOsfo5DNL5DLiOzIk7OLY8YFZjxFo
XAue/JQTDg2CPN/exMxefbSk034tQKXG6aHUJSfXGOjTV9fQUp6/wC64l2imhzo0
a0clh4KE3memGZrmARrZBcfXyitxi1AZlpd6BEAkxkVHmExW/7jOXizG6RdFWbtr
iR/OHtrRW8hitCk5A2o+Fx6PsdYMiZgYT5tTmH/bkIvxjbxGjg4KGi/+a8GJ4PZ/
6P5sBVpT5dfq/n0Vx2DaNOlJ5+kHKccfA0DIyF/pVaZ8RLXPx52ZHnPjMB7jyXbm
78kDZVpJAoGBAO/leHlmAAchPjoBmlRcijSyiWxgEjiYE0BGguhIYCRScSC8FeBf
xxdkLlWmq0JNhuH/L2NUZgY+tdLxaepJAPBPcmpICrfTTACSn1tddgV47QdIEnCL
5BXbrS8sOxnQIPz5sc8dku5zwSTRcR24Dd6aN3itSXotGC7/TaxhzZOFAoGBAM+B
7y1mbu/O5tDrGr2niZHzHXLYIZwSjQTosHwo1b2s90Y8jzvraZ4LLjbenhXyTD6I
cqo5tJDUGQpgkDrvIWSSjg1qiZYKrlA1vsIeottYvWsZgmRDtP7stqyhqsHVT0Cb
i1cz10ETsDaSV1kuSnK6OQ7i+QlYMJky+F2UhWz3AoGAMvYKS6+xXdJgB66DfFxU
N7Gdo9ocxMz5efQApxuI4O5qfcu20f1Gq99qQGOxidoyRxwQkwdAzR7RPUhveYec
nXAjHBTFwhsu0AhVtfD6u1re72cOE76D62jJN3Yr7+XYvCTG8vqTVfhdFVcwsmGB
AMK9+fLF4yBlPMabV31HUIkCgYBcFnGqWDcLPWq5dFydpegrWRTMjpX7yU/Dye/o
acbRMh1aki2Ojd6FQLj1qL3HR4wGhE8+s/UqALZMIKZhQRY0p8VattjwOTU6a1+I
jkf/x9Xn3Z48GMAOEcbPvb8l3iAZr+2aeWshejdNQIx7C0wGthX0QU37k6OdmT0X
an376QKBgEEWmbTUHO5APa1+USNoWxjplxCQ8l0fUc1jS8TRaC2Oybi3FWURgX6W
VSQdJgr7DwoKG4rlqHd6T6aI8QpfEG+pHpzmh0Vnu44etPk4NCLO67BZgfKuWd5m
GFxvMbNHGKr/MJywKmHsbaG2hSJMVY07XAfwCJRchkm0I+ldWj+a
-----END RSA PRIVATE KEY-----

4. Create a broker certificate request using key from step 3

When filling out the form the Common Name is important and is usually the domain name of the server. You could use the IP address or Full domain name. You must use the same name when configuring the client connection.

openssl req -new -out server.csr -key server.key

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TamilNadu
Locality Name (eg, city) []:Chennai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

cat server.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIC5jCCAc4CAQAwgYUxCzAJBgNVBAYTAklOMRIwEAYDVQQIDAlUYW1pbE5hZHUx
EDAOBgNVBAcMB0NoZW5uYWkxEDAOBgNVBAoMB0pVU1RCTFIxDDAKBgNVBAsMA0JM
UjELMAkGA1UEAwwCYjExIzAhBgkqhkiG9w0BCQEWFGFkaXRoeWEuakBhZG1hdGlj
LmluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwnRPLaVzUquu9Jw6
w1RPn7eLKUS/F3SyQazLR3Tg7pIl96zwoYhsCV8y6Lhp/U9k8vPAkFCWc1Da2oo5
0zf4VJ9Kw6ezy39xbpEPG6NbpgZfcpNxyDn0JyA13/pSvT5TclOgYtvFlhRZfugu
xWfDIkGXKLy7IaVOwQWuuk3eeGzJVcmHYaHURyxKPdLNtjFsolyZBQp8Kc+BoNMb
7yBatyX2F84huzqAdJwSay52bBEv6K3CZrfEv1rHyX4Qo9f+HCRRBxqpoIplJO8X
Wmk1WL4rS1xNMsLQBUM9yWMaVLd/BgySVCJOyoY+wRq3MJVLa76jZ/6vSFQLw8L8
n65xUwIDAQABoBswGQYJKoZIhvcNAQkHMQwMCmFkbWF0aWMxMjMwDQYJKoZIhvcN
AQELBQADggEBAIlj1zcJh5u6ISQhyvliShWpgmRXFVQ1j1AuR9XolQhfvUbAMp1X
Hlqpj2y/xBZRW4Z75076kjO05o1M0hvYsLVQ79VZ+g90QECZwdrqis1AC6WcvyCu
584ZJOty5ucXpoZpZhxcKBAfydSqyslj5zIgbv7JIUQs//HxvhtjvV16jkMu85+3
rUsMRzujJ6Pjg7D/DAb3ZIDvgQTtUEc75yDmfTczHsQg+rvu10Wv+inbHcd34wR7
jIAt7/8+/7xjht+oBxgw/mYo1XJwbcF3Kp+jUGSK7qn/7Okg6tJL+AoXlGDfV+pd
J/clwh1Dv1p34AYtuLrMsiUK4njYu2X6hjk=
-----END CERTIFICATE REQUEST-----

5. Use the CA certificate to sign the broker certificate request from step 4

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 36500

Signature ok
subject=C = IN, ST = TamilNadu, L = Chennai, O = , OU = , CN = , emailAddress =
Getting CA Private Key
Enter pass phrase for ca.key:

cat server.crt

-----BEGIN CERTIFICATE-----
MIIDmjCCAoICFCiPU/jhFusvuugyaagazldt0jRgMA0GCSqGSIb3DQEBCwUAMIGK
MQswCQYDVQQGEwJJTjESMBAGA1UECAwJVGFtaWxOYWR1MRAwDgYDVQQHDAdDaGVu
bmFpMRAwDgYDVQQKDAdBZG1hdGljMREwDwYDVQQLDAhSb2JvQ2hlZjELMAkGA1UE
AwwCYjExIzAhBgkqhkiG9w0BCQEWFGFkaXRoeWEuakBhZG1hdGljLmluMCAXDTIx
MTAxODA2MDI1OFoYDzIxMjEwOTI0MDYwMjU4WjCBhTELMAkGA1UEBhMCSU4xEjAQ
BgNVBAgMCVRhbWlsTmFkdTEQMA4GA1UEBwwHQ2hlbm5haTEQMA4GA1UECgwHSlVT
VEJMUjEMMAoGA1UECwwDQkxSMQswCQYDVQQDDAJiMTEjMCEGCSqGSIb3DQEJARYU
YWRpdGh5YS5qQGFkbWF0aWMuaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDCdE8tpXNSq670nDrDVE+ft4spRL8XdLJBrMtHdODukiX3rPChiGwJXzLo
uGn9T2Ty88CQUJZzUNraijnTN/hUn0rDp7PLf3FukQ8bo1umBl9yk3HIOfQnIDXf
+lK9PlNyU6Bi28WWFFl+6C7FZ8MiQZcovLshpU7BBa66Td54bMlVyYdhodRHLEo9
0s22MWyiXJkFCnwpz4Gg0xvvIFq3JfYXziG7OoB0nBJrLnZsES/orcJmt8S/WsfJ
fhCj1/4cJFEHGqmgimUk7xdaaTVYvitLXE0ywtAFQz3JYxpUt38GDJJUIk7Khj7B
GrcwlUtrvqNn/q9IVAvDwvyfrnFTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADW8
5luMY2t8I5xLCQSmqoI1nPaC8aeSM6UdzZH+hfVClvPJY/qH9E+4ka8AkLTOe+93
6IM+gQdo/XnNbDx8WNLOkKUTYUSDgk6goqXmG2+dVUK5VEGEYDf8xjrmeDAGlAwN
Pbqp9Drb/yvNwJXMAYKThW5r54NqwMngOoLGqZ+Q5TwomDhM0yv4Z1MiUg1ds3iF
VS2KWosyEBQDXkk3m4e/2FNSfya9qxpaFEA5ZArGXy+WF6Ck3jsNigg5p/9oWwW1
uRGS/qthofdMtm9dpIQRPjagc+rc5AKHFVZDmKBCI1NTOTiTF+eQrD6K1BH0WNCa
kAkkUC4kBLGOMDlwpYE=
-----END CERTIFICATE-----

6. Copy files to mosquitto folder

cp ca.crt /etc/mosquitto/ca_certificates/
 
cp server.crt /etc/mosquitto/certs/
cp server.key /etc/mosquitto/certs/

8. Copy the CA certificate file to the client

# scp ca.crt ...

9. Edit the mosquitto.conf file

vim /etc/mosquitto/mosquitto.conf

# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

include_dir /etc/mosquitto/conf.d


port 8883

cafile /root/ca.crt
keyfile /root/server.key
certfile /root/server.crt

service mosquitto restart

Verify

apt update && apt install mosquitto mosquitto-clients -y

mosquitto_sub -h b1 \
  -p 8883 \
  --cafile ca.crt \
  -t '#' \
  -v

mosquitto_pub -h b1 \
  -p 8883 \
  --cafile ca.crt \
  -t test \
  -m Hello

• Generating a TLS certificate for mosquitto - asciinema
• Why openssl ignore -days for expiration date for self signed certificate?