Skip to content
/ mqtt_cert_auth Public

Examples and instructions for MQTT mutual certificate authentication.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ksuaning-au/mqtt_cert_auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
esp32_client
esp32_client
 
 
mosquitto_config
mosquitto_config
 
 
python_client
python_client
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
generate_keys.sh
generate_keys.sh
 
 

Repository files navigation

MQTT Mutual Authentication Examples

Some hopefully helpful information on how to generate keys, configure Mosquitto and configure clients with mutual certificate authentication.

Includes a Python and Arduino example of MQTT clients with mutual certificate authentication enabled.

Generating Certificates

We are going to self sign our certificates (we are the certificate authority).

  1. Install openssl
sudo apt-get update
sudo apt-get install openssl
  1. Generate CA key and certificate. Set password for ca.key.
openssl genrsa -des3 -out ca.key 2048

openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
  1. Generate server key and certificate signing request.Ensure the common name is the broker hostname.
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
  1. Sign the server certificate as the CA.
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
  1. Generate the client key and certificate signing request. Ensure the common name is something unique to the client. This will be its username.
openssl genrsa -out client.key 2048
openssl req -new -out client.csr -key client.key
  1. Sign the client certificate as the CA.
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360

Configuring Mosquitto

Ensure you already have mosquitto installed on your server, exposed to the internet and has a domain.

  1. Place the server.crt, server.key & ca.crt inside /etc/mosquitto/certs
  2. Create custom mosquitto configuration file:
sudo nano /etc/mosquitto/conf.d/custom.conf
  1. Set the following configurations
allow_anonymous false
listener 8883
log_type error
log_type notice
log_type information
log_type debug
use_identity_as_username true
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
tls_version tlsv1.2
require_certificate true
  1. Restart the mosquitto service:
sudo service mosquitto restart

See mosquittoConfig for example configuration files.

Python Client Example

  1. Install requirements (you should create venv first):
pip3 install -r requirements.txt
  1. Modify values for your configuration.
  2. Run script:
python3 mqtt_client.py

ESP32 Client

  1. Setup VS Code.
  2. Install platformIO plugin for VS Code.
  3. Modify values to match your configuration.
  4. Build project with platformIO.
  5. Upload and Monitor to your ESP32.

About

Examples and instructions for MQTT mutual certificate authentication.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages