MQTT is a machine-to-machine (M2M)/”Internet of Things” connectivity protocol.
Eclipse Mosquitto is an open source message broker that implements the MQTT protocol.
MQTT Mosquitto broker with SSL/TLS transport security
To configure the Mosquito broker we need first to copy the certificates and key files to a known directory. We will create a certs directory under /etc/mosquitto.
ca.crt – The CA (Certificate Authority, who published the host certificate) public certificate.
hostname.crt – The hostname, that will run the mosquitto broker, public certificate.
hostname.key – The hostname private key.
After this we can modify the mosquitto configuration file. One important thing to keep in mind is that lines must be following each other without blank lines after the listener directive.
# Plain MQTT protocol
# End of plain MQTT configuration
# MQTT over TLS/SSL
# End of MQTT over TLS/SLL configuration
# Plain WebSockets configuration
# End of plain Websockets configuration
# WebSockets over TLS/SSL
Authentication by using client certificates
Using client certificates, signed by a certificate authority, assures the client identity. The certificate authority used must be the same used by the server certificates and is only supported over TLS/SSL.
For using client certificates for authentication, we need to change the listener configuration for TLS/SSL by adding the following directives:
# MQTT over TLS/SSL
The require_certificate directive with the value true means that clients must now provide a client certificate to connect.
The use_identity_as_username means that the user name of the connecting user is taken from the CN (Common Name) property of the certificate, otherwise we still need to provide an user and password.
And we should have three files, two of them the user1.crt, the user certificate, and the user1.key, the user1 private key.
# mosquitto_pub --cafile /etc/mosquitto/certs/ca.crt -h localhost -t "test" -m "message" -p 8883 -d --cert user1.crt --key user1.key
Client mosqpub/30264-pcortex sending CONNECT
Client mosqpub/30264-pcortex received CONNACK
Client mosqpub/30264-pcortex sending PUBLISH (d0, q0, r0, m1, 'test', ... (7 bytes))
Client mosqpub/30264-pcortex sending DISCONNECT
MQTT Mosquitto broker - Client Authentication and Client Certificates
After seeing how to set up transport layer security for the Mosquitto MQTT broker by using the Transport layer security…