
=====Add certificates for the Mosquitto MQTT broker secure connections=====

The method below creates a self signed certificate that allow Mosquitto MQTT broker and it's clients to communicate over encrypted connections.

===Create a CA (certificate authority) key pair===

<code>
mkdir ~/certs
cd ~/certs
openssl genrsa -des3 -out ca.key 2048
</code>
Add a secret passphrase and store in a secure location. 

===Create a certificate for the CA key===
<code>
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
</code>

Answer the questions at the prompt.
Example:
<code>
Country Name (2 letter code) [AU]:SE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pixilab
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:Pixilab CA
Email Address []:.

</code>

===Create server key pair for the server===
<code>
openssl genrsa -out server.key 2048
</code>
Adjust the -days parameter  to suit you needs in the next command.(valid 10 years in the example)

===Create a new  certificate request===
<code>
openssl req -new -out server.csr -key server.key
</code>

Answer the questions. 

Example:
<code>
Country Name (2 letter code) [AU]:SE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pixilab
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:MQTTServer
Email Address []:.
</code>
The two last questions can be ignored, just hit enter.
<code>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</code>
===Verify and sign the request===
<code>
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600
</code>

===Copy the certificates to Mosquitto===

We may have to change user to a super user. I.e
<code>su pixi-admin</code>

<code>
sudo cp ca.crt server.crt server.key /etc/mosquitto/certs/
</code>

===Set correct permissions of certs so they can be read by mosquitto===
<code>
sudo chmod 664 /etc/mosquitto/certs/*
</code>


===Mosquitto config file===
As sudoer user edit the mosquitto config file:
sudo nano /etc/mosquitto/conf.d/pixi.conf

<code>

# Certificate listener
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
require_certificate false

password_file /etc/mosquitto/conf.d/pixi-pwd
allow_anonymous false


</code>
===Restart mosquitto===
<code>
systemctl restart mosquitto
</code>