0

I'm new to MQTT. I create a mosquitto broker with ssl and connect successfully. My commands to create certificates as:

openssl req -new -x509 -days durations -keyout mqtt_ca.key -out mqtt_ca.crt
openssl genrsa -des3 -out mqtt_server.key size_bits
openssl req -out mqtt_server.csr -key mqtt_server.key -new
openssl x509 -req -in mqtt_server.csr -CA mqtt_ca.crt -CAkey mqtt_ca.key -CAcreateserial -out mqtt_server.crt -days durations*

In mosquitto.conf:

port 8883
cafile your_path/mqtt_ca.crt
certfile your_path/mqtt_server.crt
keyfile your_path/mqtt_server.key
require_certificate false
tls_version tlsv1.1

But it is just one way connection. I want to set `require_certificate true but I don't know how to create client certificates and modify mosquitto.conf. Please show me how to do that. Thank you so much!

hardillb
  • 54,545
  • 11
  • 67
  • 105
Minh Khánh Nguyễn
  • 1

1 Answers1

0

Creating a Certificate Authority is too detailed to go into here, but there are plenty of examples online e.g There are many examples of how to create your own Certificate Authority (CA) online e.g.

https://jamielinux.com/docs/openssl-certificate-authority/

For the broker certificate the CN should match the host name of the machine running the broker.

For client certificates the CN can be anything you want.

The only changes to the mosquitto.conf file will be to make sure the cafile entry points to the CA certificate you generate at the start of the instructions for setting up the CA.

If you want to enforce require_certificate true then you should probably also look at use_identity_as_username true as well to user the CN from the client certificate as the username when matching against ACLs

hardillb
  • 54,545
  • 11
  • 67
  • 105