The method below creates a self signed certificate that allow Mosquitto MQTT broker and it's clients to communicate over encrypted connections.
mkdir ~/certs cd ~/certs openssl genrsa -des3 -out ca.key 2048
Add a secret passphrase and store in a secure location.
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Answer the questions at the prompt. Example:
Country Name (2 letter code) [AU]:SE State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pixilab Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:Pixilab CA Email Address []:.
openssl genrsa -out server.key 2048
Adjust the -days parameter to suit you needs in the next command.(valid 10 years in the example)
openssl req -new -out server.csr -key server.key
Answer the questions.
Example:
Country Name (2 letter code) [AU]:SE State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pixilab Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:MQTTServer Email Address []:.
The two last questions can be ignored, just hit enter.
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600
We may have to change user to a super user. I.e
su pixi-admin
sudo cp ca.crt server.crt server.key /etc/mosquitto/certs/
sudo chmod 664 /etc/mosquitto/certs/*
As sudoer user edit the mosquitto config file: sudo nano /etc/mosquitto/conf.d/pixi.conf
# Certificate listener listener 8883 cafile /etc/mosquitto/ca_certificates/ca.crt certfile /etc/mosquitto/certs/server.crt keyfile /etc/mosquitto/certs/server.key require_certificate false password_file /etc/mosquitto/conf.d/pixi-pwd allow_anonymous false
systemctl restart mosquitto