mosquitto TLS setup

This tutorial is a try to make a very simple and reproducible mosquitto TLS setup, that works on modern systems.

Throughout this tutorial I’m assuming mosquitto is installed to /etc/mosquitto.

CA and server certificate

This is the most basic step and setup. We need to generate a CA certificate and a server key. This is the setup for a self-signed certificate server.


We will be placing the certificate files in /etc/mosquitto/certs and perhaps need to create this folder first

mkdir -p /etc/mosquitto/certs
chown mosquitto:mosquitto /etc/mosquitto/certs

Create CA certificates

Use the following commands to create a CA certificate. Important: The FQDN must not be the same as the server FQDN, otherwise you might end up with SSL errors. I use 1825 days, or 5 years.

cd /etc/mosquitto/certs
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
chown mosquitto:mosquitto ca.{crt,key}

Generate server certificates

Execute the following commands, one after each other. Important: Here the FQDN must be the hostname, otherwise you might end up with SSL errors. I use 1825 days, or 5 years.

cd /etc/mosquitto/certs
openssl genrsa -out server.key 4096
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1825
chown mosquitto:mosquitto server.{csr,key,crt}

Mosquitto configuration

Ensure, the following lines are in your mosquitto configuration, typically in /etc/mosquitto/mosquitto.conf

listener 8885
tls_version tlsv1.2
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key

Testing the connection

All you need to establish a server connection is the ca.crt file on your client machine. Then you can try to subscribe to the server with the following command

mosquitto_sub -h HOSTNAME -t '#' -p 8885 --insecure --cafile ca.crt --tls-version tlsv1.2

If you can connect, then everything should be good.

Client certificates

For more security, you can add client certificates, which need to be signed by the server. This setup builds atop the pervious setup

Creating a client certificate

Follow the following commands to generate client certificates for the client puppet. Important: Don’t use the server name as FQDN, but anything else (why not use puppet?) otherwise your SSL configuration might get confused.

cd /etc/mosquitto/certs
openssl genrsa -out puppet.key 4096
openssl req -out puppet.csr -key puppet.key -new
openssl x509 -req -in puppet.csr -CA ca.crt --CAkey ca.key --CAcreateserial -out puppet.crt -days 1825
chown mosquitto:mosquitto puppet.{csr,crt,key}

Update the mosquitto configuration

To enforce the usage of client certificates, you will need to add require_certificate true to your listener configuration:

listener 8885
tls_version tlsv1.2
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
require_certificate true
use_identity_as_username true         # optional - to use the client names as username

Testing the configuration

Like before, but we will need in addition to also configure the client certificate and key file:

mosquitto_sub -h HOSTNAME -t '#' -p 8885 --insecure --cafile ca.crt --cert puppet.crt --key puppet.key --tls-version tlsv1.2

Generate pkcs12 certificates (for Android)

If you want to use your certificates on Android (e.g. for owntracks)

openssl pkcs12 -export -in puppet.crt -inkey puppet.key -name "puppet's certificate/key" -out puppet.p12

Important: Some Android versions require a password for p12 files in order to work properly.