Mosquitto MQTT Broker SSL Configuration Using Own Certificates

Hi Steve,

Thanks for the tutorial!
I was wondering, you showed the screenshot of the /etc/mosquitto/certs/ directory including the keyfile with “correct” permissions. But I believe those permissions are incorrect because everyone on the system has access to the private key “server.key” or am I missing something? Since the “others” bit is set to read.

Wouldn’t it be better to have the mosquitto group as the group, and chmod 640 the private key?

Cheers

Hi Steve,
Thank you very much! That resource is really helpful!

“Currently the Paho python client require a CA certificate file and so it is not possible to use a self signed certificate. I came across a couple github threads relating to this but no real solution.”
Can you please explain what you mean by this? “it is not possible to use a self signed certificate” for the Paho client or self signed certificate for the broker(server)? Does it mean Paho python client can’t use TLS unless I purchase a certificate?

Many thanks.

Hi steve,
I am getting below error ,

C:\Program Files\mosquitto>mosquitto_pub.exe -h localhost -t test/msg -m “hello” -p 1883 –cafile certs/ca.crt
Error: protocol error

My Conf file :
cafile C:\Program Files\mosquitto\certs\ca.crt
keyfile C:\Program Files\mosquitto\certs\server.key
certfile C:\Program Files\mosquitto\certs\server.crt
tls_version tlsv1

I run mosquitto broker on a Linux OS. I have followed all the steps, and when I restart my mosquitto broker, I get this error.
job for mosquitto.service failed because the control process exited with error code.
See “systemctl status mosquitto.service” and “journalctl -xe” for details.

Hi,

I run mosquitto on a Linux server and Owntracks on iPhone as client. This worked perfectly until recently when I changed my phone. Since then I can’t get the connection back. I created new certificates but no lock. This is the error in the mosquitto.log:
022-12-22T22:37:00: OpenSSL Error[0]: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
2022-12-22T22:37:00: Client disconnected: Protocol error.

Any help would be appreciated.

Hi Steve

I got everything working between MQTT broker (192.168.68.80) hosted as docker and MQTT.fx as a client. I use common name as raspberrypidev for both CA and Server which is my hostname. I can ping device with the hostname from another client. However when I try to use mosquitto_pub and mosquitto_sub on the broker itself I get “Unable to connect (Lookup error.).”

What could be wrong? Please advise.

Hello Steve,

I am generating the keys and certificates on an Ubuntu vm and using the mosquitto broker on an other windows computer in the same network.

For the CA and server-certificate I used the ip-adress of the windows computer as the domain name, and I dont know if I got that right.
When I try to verify the server certificate on ubuntu it fails.
When I try to publish a message on mosquitto with the ip-adress of the windows-computer I get the error: “A TLS error occured.”
When I try to publish a message on mosquitto with the host-name of the windows-computer I get the error: “unable to connect (Lookup Error).”
I’m using MQTT-Explorer in Ubuntu with no luck so far obviously.

Could you help me with that?
Thanks in advance 🙂

Hi Steve,

I would like to know if you could help me with the following problem because I have spent two days with this and I’m kind of stuck.

I have in a Rpi a mosquitto broker with a server TLS certificate signed by a self-signed CA located in the Rpi. I am trying to connect to this broker from a Parrot virtualbox machine using a python script with the following commands:

TLS_CERT_PATH = “/etc/mosquitto/ca.pem”
client_crt = “/etc/mosquitto/VM.pem”
client_key = “/etc/mosquitto/parrot.key”
client.tls_set(ca_certs=TLS_CERT_PATH, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None)
client.tls_insecure_set(False)
And the following error appears in the broker:

sslv3 alert bad certificate

And in the virtual machine:

certificate verify failed: IP address mismatch

I don’t understand the error because if I run in the Virtual machine the following, where 192.168.1.254 is the IP of the Rpi:

mosquitto_pub -h 192.168.1.254 -p 2259 –tls-version tlsv1.2 –cafile /etc/mosquitto/ca.crt –cert /etc/mosquitto/VM.crt –key /etc/mosquitto/parrot.key -t Injecction_moulding/pressure -q 0 -m trying

It doesn’t give me any error, even though I am using the same certificate files.

I thought that maybe it was something related to an intermediate certificate signing my Virtual machine’s client certificate, but it is issued by the same CA that the broker uses. Moreover, I have also added in /etc/ssl/certs, the certificates that I am using just in case the CA was not recognising them as valid certificates.

Do you know what have I done wrong?

Hi Steve,

Do you know how to send a certificate request from a Parrot OS virtual machine (located in a PC) to the CA located in the Rpi?

Thanks!

Hi Steve,

where is the key passphrase configured in Mosquitto for the encrypted keys?

Regards
Lukas

Great tutorial but I noticed you are using the ca.crt on the client connection. Could I create individual client certificates and keys to make this more secure? I will be using MQTT with a lot of remote clients. Maybe the ca.crt is only used for the initial connection.

Hey Steve,

Thank you so much for the comprehensive tutorial. I followed the steps and have generated the CA cert and key, the server cert and key, and the client cert and key. However, I am also getting this –
“Error: Connection refused” upon publishing.
It is all on localhost. Using a MAC, so Mosquitto Broker runs on 127.0.0.1 and port 1883. My config looks like this –

cafile /Users/sdhare/MQTT/MosquittoServer/mqtt_ca.crt
certfile /Users/sdhare/MQTT/MosquittoServer/mqtt_server.crt
keyfile /Users/sdhare/MQTT/MosquittoServer/mqtt_server.key
require_certificate true
tls_version tlsv1.2

Works normally if I do “require_certificate false” in config. The certificates and keys are correct, I checked using SSL Verify: openssl verify -CAfile ca.crt server.crt

My Publish command looks like this –
mosquitto_pub -h 127.0.0.1 -t topic -m “Hello” –capath /Users/sdhare/MQTT/MosquittoClient/mqtt_ca.crt –cert /Users/sdhare/MQTT/MosquittoClient/mqtt_client.crt –key /Users/sdhare/MQTT/MosquittoClient/mqtt_client.key –tls-version tlsv1.2

What could be the possible reason?

Thanks a lot for you answer, it help me. Additional question, can I receive the tls-publishing message from the remote machine locally from the local mosquitto broker directly without using tls. Something like this:

hostA_192.168.1.10 $ mosquitto_pub -p 18883 -h 192.168.1.50 -t a/s/d/ -m “MSG=> Port:8883” -d –tls-version tlsv1.2 –insecure –cafile ca.crt –cert client.crt –key client.key

broker_192.168.1.50 $ mosquitto_sub -p 18883 -h 192.168.1.50 -t “#”

All examples I have found are when pub/sub is in the same situation, or both are locally or both are remote with a broker and both are using tls.
Really for subscribing I use paho.mqtt.c

or a local subscriber also should use tls (ca.crt, client1.crt, client1.key)?

Hi I’m back again with another question. Is it possible for a client to connect over SSL to the mosquitto broker without passing in the ca.crt? My understanding is that upon connecting to a website, the server sends a message containing the server’s SSL certificate and the client validates the certificate with its local trust store. Now, when I’m not my own CA and I generate the server’s SSL certificate with certbot, would I still need to pass the ca.crt when connecting to my mosquitto broker since looking at my linux machine at /etc/ssl/certs I can see ISRG_Root_X1.pem is in here. This is the CA for Let’s Encrypt.

Hi Steve,
If I give x.509 certs a shorter lifespan I will have to have a PKI in place to be able to update these certificates securely. How do you recommend going about this process? I would either be using an IoT device with or without an OS. So placing the new certs could be done with SCP or over MQTT. Are there any services that offer this that you can recommend? I saw amazon has mqtt topics on the device that listen for requests to update certificates. https://docs.aws.amazon.com/iot/latest/developerguide/fleet-provision-api.html. I am sure the topics are only accessible by admin users and are locked down sufficiently.

This aspect of PKI is definitely a critical part of any iot deployment. If we are using open source brokers and dont want to use amazons or azures iot brokers–what ways do you recommend (either a service or a diy solution) for implementing a PKI that can be effective at updating/managing client certificates. I’m assuming a seperate service/ database on the server would be needed that monitors the expiration dates, keeps track of the authenticated state of the devices, and performs certificate provisioning would be needed. Would creating intermediate CA certificates from the root and using this to sign the server & client certificates be better than signing by the head Root CA? The keys used to generate these would be stored offline. Then in the “ca_certificates” part of the mosquitto conf we would have a certificate with the whole chain of trust up to the root CA?

Thanks for any input. This is an interesting topic and is definitely important for the lifecylce of our devices.

Hello Steve,
I love this article, it got me started on the topic. But I faced a few issues while deploying on client’s premises. I have posted them on the stack overflow.
https://stackoverflow.com/questions/67074372/how-to-deploy-mqtt-with-ssl-on-internet-with-port-forwarding
I managed to solve the issues with following modification to step 5
openssl x509 -req -in server.csr -CA ca.crt -extfile v3.ext -CAkey ca.key -CAcreateserial -out server.crt -days 360
Where v3.ext contains
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=DNS:Enterprise, IP:111.6.77.122

It would be nice if you could add the section on SANs with more explanations.

if using tls over web sockets, how does the mqtt client retrieve the tls cert from the browser? I’m using a localhost webserver with mqttjs talking to a remote mosquitto broker over web socket with password authentication. Could I create certificate with letsencrypt, add it to the mosquitto.conf web sockets listener, and then how do I retrieve this certificate on the browser end? Thank you for any input, this has been spinning in my head for a while

Hi Steve,
I tried following the tutorial but now my mosquitto broker service won’t start up. .

After placing the files in cert folder and changing the .conf file, I start my broker and get the following response:

C:\Program Files\mosquitto>mosquitto -v -p 8883
1610352838: mosquitto version 1.6.12 starting
1610352838: Using default config.
1610352838: Opening ipv6 listen socket on port 8883.
1610352838: Opening ipv4 listen socket on port 8883.
1610352838: mosquitto version 1.6.12 running

After this when start the service it will start up but immediately stop itself.

Hi Steve,

Wish you a very happy new year at the beginning. At the same time thanks for your all inclusive page on mosquitto.

I tried all the steps mentioned in http://www.steves-internet-guide.com/mosquitto-tls/ for generating certificates and running mosquitto broker with configuration. and the broker run successfully
$ mosquitto -c /etc/mosquitto/mosquitto.conf -v with the following o/p
1609566743: mosquitto version 1.4.11 (build date 2021-01-01 09:33:00+0000) starting
1609566743: Config loaded from /etc/mosquitto/mosquitto.conf.
1609566743: Opening ipv4 listen socket on port 8883.
1609566743: Opening ipv6 listen socket on port 8883.

But when I tried
$ mosquitto_sub -h localhost -t test -p 8883 –cafile /home/dipadmin/steves/ca.crt,
I got stuck at
Error: A TLS error occurred.
$ mosquitto -c /etc/mosquitto/mosquitto.conf -v throws the following o/p

1609566775: New connection from 127.0.0.1 on port 8883.
1609566775: OpenSSL Error: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
1609566775: Socket error on client , disconnecting.

Also, mosquitto_pub -h localhost -t test -m “Thanks in advance” -p 8883 –cafile /home/dipadmin/steves/ca.crt
Error: A TLS error occurred.

Here are some other input that might help in debugging
OS- Ubuntu 18.04.5 LTS

Openssl version : OpenSSL 1.1.1 11 Sep 2018

openssl verify -CAfile ca.crt server.crt
server.crt: OK

*********************************************************************************************
$ sudo nano /etc/mosquitto/mosquitto.conf
*********************************************************************************************
port 8883

cafile /home/dipadmin/steves/ca.crt

certfile /home/dipadmin/steves/server.crt

keyfile /home/dipadmin/steves/server.key

tls_version tlsv1
**********************************************************************************************

***********************************************************************************************
$ openssl s_client -connect localhost:8883 -CAfile /home/dipadmin/steves/ca.crt
************************************************************************************************
CONNECTED(00000005)
depth=1 C = AU, ST = WBCA, L = KOCA, O = WTCA, OU = IOTCA, CN = diptest01, emailAddress = dmaitraX@XXXX.com
verify return:1
depth=0 C = IN, ST = WBSR, L = KOSR, O = WTSR, OU = IOTSR, CN = diptest01, emailAddress = dmaitraX@XXXX.com
verify return:1
—
Certificate chain
0 s:C = IN, ST = WBSR, L = KOSR, O = WTSR, OU = IOTSR, CN = diptest01, emailAddress = dmaitraX@XXXX.com
i:C = AU, ST = WBCA, L = KOCA, O = WTCA, OU = IOTCA, CN = diptest01, emailAddress = dmaitraX@XXXX.com
1 s:C = AU, ST = WBCA, L = KOCA, O = WTCA, OU = IOTCA, CN = diptest01, emailAddress = dmaitraX@XXXX.com
i:C = AU, ST = WBCA, L = KOCA, O = WTCA, OU = IOTCA, CN = diptest01, emailAddress = dmaitraX@XXXX.com
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIDizCCAnMCFHOTfXc+rUqNBzVI0DVC0UJoLUxyMA0GCSqGSIb3DQEBCwUAMIGB
MQswCQYDVQQGEwJBVTENMAsGA1UECAwEV0JDQTENMAsGA1UEBwwES09DQTENMAsG
A1UECgwEV1RDQTEOMAwGA1UECwwFSU9UQ0ExEjAQBgNVBAMMCWRpcHRlc3QwMTEh
MB8GCSqGSIb3DQEJARYSZG1haXRyYTNAZ21haWwuY29tMB4XDTIxMDEwMjA0Mzgz
MFoXDTIxMTIyODA0MzgzMFowgYExCzAJBgNVBAYTAklOMQ0wCwYDVQQIDARXQlNS
MQ0wCwYDVQQHDARLT1NSMQ0wCwYDVQQKDARXVFNSMQ4wDAYDVQQLDAVJT1RTUjES
MBAGA1UEAwwJZGlwdGVzdDAxMSEwHwYJKoZIhvcNAQkBFhJkbWFpdHJhM0BnbWFp
bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDch/rUAQthGsyf
zvQY3IdekflLTzbhC1CGLzTwPGzro85bywDclnsGXJzSij96tBU3ayfbdlTUBFtJ
jFHkNRDws2ALPNobDFwNd6dj0T22ohQTMUMrZ3bgEeq26lyre3I9qX63Ub02wfHM
8UWHYk0QgxvGqNc0b4WfGCjWJpH9plJJZ43LlnQ70stdFLKVzKmAP7XgBIpptAbn
oCmWfjw6AbT7VetnlP3JcTphKH82Fv/2NRByYuw0pu0mZ2JntHrI4XbrIU0ZHCVn
IrNyRfdqFsBOSO6gtleWyBsCZg8GzQ/xvxHofkR8TMEBawQL5+466clD9DfATcRg
AmnytivRAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACY6DmtNOLTJlJ8lBqQGVav2
TJnzTdx0JMyKL6XdQEmdqhMj7ccIeECutJAx/ysYcoQGdHk0S4JGinAYmppNCdcH
M+7gfRVsF01gX8oyEzvYZ7AEiKCc7AR673TcIfcDQEPcOkdkM2B97gbb3Gh2Fz/n
kFMMheh2LHYQg7rlPbA0yTNpKtA67Yt1TviBwd3AmthV1SSV1pi4/yqIzcGFUOAz
L3DnwF9G8sNBpC3ebn29h2c+hVXetiwEJvPVpmwmRzlRzeWTzJw0ll850z9JTd8n
vh2fGRcMOF752COUqO/v3Qpmr34mU2S+2hQiPTfM2OWtIizoirg0Oi5If2cekjQ=
—–END CERTIFICATE—–
subject=C = IN, ST = WBSR, L = KOSR, O = WTSR, OU = IOTSR, CN = diptest01, emailAddress = dmaitraX@XXXX.com

issuer=C = AU, ST = WBCA, L = KOCA, O = WTCA, OU = IOTCA, CN = diptest01, emailAddress = dmaitraX@XXXX.com

—
No client certificate CA names sent
Peer signing digest: MD5-SHA1
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
—
SSL handshake has read 2570 bytes and written 416 bytes
Verification: OK
—
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHAServer public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: CB1A39D1B43DF7DDC3D0FBBD093584C9BD626AE08A5F4A15EC861104197287BF
Session-ID-ctx:
Master-Key: 7123C09EC3690BA0938A27307A2FBDA9579335D375E3953BDB8890F3014FF7403F8A3517689498D647547EE5F6F4CF71
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 – 1b cc 81 96 a2 1f 2c b9-83 19 41 88 3f a6 0b f9 ……,…A.?…
0010 – 6e 1a f7 42 d3 65 ab 2e-aa 51 f5 3d f7 b2 6a d5 n..B.e…Q.=..j.
0020 – 25 83 ab 18 cd 16 66 02-d6 7f 03 f9 98 84 9d c9 %…..f………
0030 – 89 57 cd 65 2b e4 c3 94-0e 5e f1 5d f9 86 70 69 .W.e+….^.]..pi
0040 – cb 67 84 24 5f 1e 34 16-80 f1 9f 97 77 80 30 34 .g.$_.4…..w.04
0050 – 44 fe ac 3d 06 27 fd 96-a9 8b 98 ea d6 4e 7b 67 D..=.’…….N{g
0060 – 65 e5 35 88 f3 16 fd b7-d5 8d df 6d d0 27 e9 a9 e.5……..m.’..
0070 – d7 d9 04 ab f5 2e 43 3d-f0 8c e3 0f 2b 3c 9a 40 ……C=….+<.@
0080 – 29 98 4b 79 7d a5 ad 6b-9d 6a 2f 3f 65 ef 45 71 ).Ky}..k.j/?e.Eq
0090 – 78 e5 a7 f7 63 16 eb b7-34 d2 98 63 c3 c3 c0 9b x…c…4..c….
00a0 – 89 5a 69 c0 af 9a d6 51-ff 7c 2e 99 42 68 53 10 .Zi….Q.|..BhS.

Start Time: 1609565353
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
—
closed
***************************************************************************************************

Please suggest me the next step

It is possible to skip the self-signed certificate as shown in this thread.
https://pi3g.com/2019/05/19/python-paho-mqtt-client-self-signed-certificates-websockets-howto/

Hi Steve,

I have a ev ssl certificate signed by entrust and the .csr was generated from IIS, windows. I retrieved the private key from the certificate manager and used Root.crt as cafile and the signed certificate.crt as certfile. However, I am getting this error on the broker -> OpenSSL Error[0]: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown this error when I try to connect my client (with .pfx) to my broker.

Hi Steve,
Thank you for all these helpful information about this subject. I am trying to run the mosquitto broker and client on the local machine with SSL. I have followed your instructions to create the CA certificate, server certificate and the server key. I placed these files in the folder and changed the configuration file accordingly as below:

cafile C:\mosquitto\certs\ca.crt
certfile C:\mosquitto\certs\server.crt
keyfile C:\mosquitto\certs\server.key
port 8883
tls_version tlsv1

Then I restart the mosquitto broker. However, following test failed:
mosquitto_pub -h 9XLMZY2 -t test/topic –cafile C:\mosquitto\certs\ca.crt -m “Hello” -p 8883

The error message is “Error: No connection could be made because the target machine actively refused it.”.

But, when I try following test, it success.

mosquitto_pub -t test/topic -m “Hello”

Seems the configuration is not taking effect. The broker is still working at non-SSL mode. What I have done wrong?

Thanks a lot.
Sherry

Hello Steve,
I actually configured Mosquitto to work over TLS but PUB/SUB is only working for localhost only.Can you please help me out in PUB/SUB using another IP address.I work on Ubuntu virtual machine please help me out?

Hi
I am using paho client on Raspberry PI to connect to a mosquito broker.
My code to connect is as follows:

def mySens(sensorid,subscriberID):
clientID = sensorid
client = mqtt.Client(client_id=clientID)
client.on_connect = when_connect
client.on_message = on_message
client.username_pw_set(“xxxxxxx”,”yyyyyyyyy”);
client.tls_set(‘ca.crt’)
x = client.connect(host, port)
print(x, host,port)
flag = True
while(flag == True):
x = client.publish(topic=”MASTER/HELLO”, payload=”hello”)
x = client.publish(topic=”DEVICE/WELCOME”, payload=json_string)
client.loop_forever()

When x = client.connect(host, port) executes I get the following error

Exception in thread figure01
Traceback (most recent call last):
File “/usr/lib/python3.5/threading.py”, line 914, in _bootstrap_inner
self.run()
File “/usr/lib/python3.5/threading.py”, line 862, in run
self._target(*self._args, **self._kwargs)
File “sim.py”, line 35, in sensorsimulator
x = client.connect(host, port)
File “/home/pi/.local/lib/python3.5/site-packages/paho/mqtt/client.py”, line 937, in connect
return self.reconnect()
File “/home/pi/.local/lib/python3.5/site-packages/paho/mqtt/client.py”, line 1100, in reconnect
sock.do_handshake()
File “/usr/lib/python3.5/ssl.py”, line 996, in do_handshake
self._sslobj.do_handshake()
File “/usr/lib/python3.5/ssl.py”, line 641, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:720)

Tried googling not able to find out the root cause or a solution. _ Can you help me ?

hey steve, thank you for this tutorial
i want to ask how to subscribe the topic from other device using mosquitto mqtt tls? i try to add command “–cafile certs\ca.crt” to subscribe, but it doesn’t work
cause i want to subscribe from other device
I’ve install and configuring tls too from other device, but it doesn’t work to subscribe

Hi Steve.
I use vitural server AWS EC2 and mosquitto , when i create CA key , i put the common name ( random , ex mytest ) , in Server.crt I put common name is public DNS of server , but when i test with MQTTFx it not working with error:
1568099939: New connection from 113.161.92.36 on port 8883.
1568099939: Socket error on client , disconnecting.
And MqttFx show MQTTException.
How can i fix it?
Regards!

Hi Steve,
Thanks a lot for all your great articles on MQTT.
I followed your instructions, except the commen name in step 2 and step 4 is I use the ip address. Everything is fine, I check on MQTT.fx quite perfectly, but when I check on MQTT.box it is not very good.
On MQTT.box, I only set up the “HOST” as the server’s ip address and “SSL/TLS Certificate Type” the type is: CA signed server certificate. I haven’t been able to issue CA.crt yet, it can connect. Can you explain help me? Thank you very much.

I am trying to connect with TLS 1.2 to CloudMqtt Broker which I can do w/o a problem when no security protocol involved…(using M2Mqtt library)

You said that:
——-
In this case we only need a trusted server certificate on the Client.
We do not need to create client certificates and keys but this is covered in Creating and Using Client Certificates with MQTT and Mosquitto
——-
So how the MqttClient constructor should look like?
I tried this and it goes through… but later the Connect call throws communication exception:

X509Certificate caCert = X509Certificate.CreateFromCertFile(mCaServerCertFIle);
//X509Certificate clientCert = X509Certificate.CreateFromCertFile(clientCertFile);

mqttClient = new MqttClient(serverProfile.ServerAddress,
port,
true,
caCert,
null,//clientCert,
MqttSslProtocols.TLSv1_2,
RemoteCertValidationCallback
//LocalCertSelectionCallback
);
}

Hi Steve , just to clarify ,from a comment made by vicky on 11 April 2018 , it was mentioned that if the input field of step 2 and step 4 were identical , the ca.crt would not work ,hence only the server.crt is applicable. If the input fields of step 2 and 4 were of different values , it means that the ca.crt would work fine without error?Further more if i am using mosquitto library , can the ca.crt and server.crt certificates be used? Or is there a need to create a pem version?

Regards
Wayne

Please explain the significance of ca.crt and server.crt….I am not able to distinguish. Justify more please.

In log i get error: Error: Unable to load CA certificates. Check cafile “/root/jbre/SSL/ca.crt”
I i comment out server.key it loads mosquitto or if i comment out ca.crt, mosquitto works, so i guess those two files are not compatible….hm… i did generate keys with step 2 and 4 with slightly different value… but i also leave some fields empty, like mail, maybe thats problem?

Some stuff i found out following your tutorial:
– Common name MUST be you computer name. I couldn’t find out how to use wildcards to make it work on a PC in a domain (PC at work), but on a non network managed computer (my home computer) it finally worked.

– If you set ‘tls_version tlsv1’ in the mosquitto.conf file, you MUST use ‘–tls-version tlsv1’ on the pub/sub command line or it will default to TLS v1.2
> mosquitto_sub -h DESKTOP-09SCS82 -p 8883 –cafile ca.crt -t hello/world –tls-version tlsv1