This is an old revision of the document!
Add certificates for Mosquitto secure connections
The method below creates a self signed certificate that allow Mosquitto MQTT broker and it's clients to communicate over encrypted connections.
Create a CA (certificate authority)
mkdir ~/certs cd ~/certs openssl genrsa -des3 -out ca.key 2048
Create a certificate
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Create server key and cert
openssl genrsa -out server.key 2048
Adjust the -days parameter to suit you needs in the next command.(valid 10 years in the example)
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600
Copy the certificates to Mosquitto
sudo cp ca.crt /etc/mosquitto/certs/ sudo cp server.crt /etc/mosquitto/certs/ sudo cp server.key /etc/mosquitto/certs/
Set correct permissions of certs so they can be read by mosquitto
sudo chmod 664 /etc/mosquitto/certs/*
Mosquitto config file
As sudoer user edit the mosquitto config file: sudo nano /etc/mosquitto/conf.d/pixi.conf
# Certificate listener listener 8883 cafile /etc/mosquitto/ca_certificates/ca.crt certfile /etc/mosquitto/certs/server.crt keyfile /etc/mosquitto/certs/server.key require_certificate false password_file /etc/mosquitto/conf.d/pixi-pwd allow_anonymous false tls_version tlsv1.2
Restart mosquitto
systemctl --user restart mosquitto