1MOSQUITTO-TLS(7)         Conventions and miscellaneous        MOSQUITTO-TLS(7)
2
3
4

NAME

6       mosquitto-tls - Configure SSL/TLS support for Mosquitto
7

DESCRIPTION

9       mosquitto provides SSL support for encrypted network connections and
10       authentication. This manual describes how to create the files needed.
11
12           Note
13           It is important to use different certificate subject parameters for
14           your CA, server and clients. If the certificates appear identical,
15           even though generated separately, the broker/client will not be
16           able to distinguish between them and you will experience difficult
17           to diagnose errors.
18

GENERATING CERTIFICATES

20       The sections below give the openssl commands that can be used to
21       generate certificates, but without any context. The asciicast at
22       https://asciinema.org/a/201826 gives a full run through of how to use
23       those commands.
24

CERTIFICATE AUTHORITY

26       Generate a certificate authority certificate and key.
27
28       •   openssl req -new -x509 -days <duration> -extensions v3_ca -keyout
29           ca.key -out ca.crt
30

SERVER

32       Generate a server key.
33
34       •   openssl genrsa -aes256 -out server.key 2048
35
36       Generate a server key without encryption.
37
38       •   openssl genrsa -out server.key 2048
39
40       Generate a certificate signing request to send to the CA.
41
42       •   openssl req -out server.csr -key server.key -new
43
44           Note
45           When prompted for the CN (Common Name), please enter either your
46           server (or broker) hostname or domain name.
47
48       Send the CSR to the CA, or sign it with your CA key:
49
50       •   openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key
51           -CAcreateserial -out server.crt -days <duration>
52

CLIENT

54       Generate a client key.
55
56       •   openssl genrsa -aes256 -out client.key 2048
57
58       Generate a certificate signing request to send to the CA.
59
60       •   openssl req -out client.csr -key client.key -new
61
62       Send the CSR to the CA, or sign it with your CA key:
63
64       •   openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key
65           -CAcreateserial -out client.crt -days <duration>
66

SEE ALSO

68       mosquitto(8), mosquitto-conf(5)
69

AUTHOR

71       Roger Light <roger@atchoo.org>
72
73
74
75Mosquitto Project                 09/18/2023                  MOSQUITTO-TLS(7)
Impressum