NederlandsKlik deze knop voor de Nederlandstalige website

IoT server: secure MQTT communication using TLS

In the previous blog post “IoT server: Mosquitto and Node Red on Raspberry Pi” we installed the Mosquitto MQTT broker and restricted access by requiring passwords for the clients. But for really secure MQTT traffic, we need to do a bit more.

Secure MQTT traffic using self signed TLS certificates

By default, all data travels across the network unencrypted. On untrusted networks this is a security risk, because sensitive data like passwords can be easily intercepted. In this post we implement secure communications by encrypting it using self signed TLS certificates.

Download the certificate creation script

To make creation of the certificates a bit easier, we will use a script from OwnTracks. Log in to your Raspberry Pi and make sure the home directory is the current directoy:
cd ~
Create a new directory that is not accessible to other users on the system:
mkdir certificates
chmod 700 certificates
cd certificates

Download the script from Github using wget (type/paste this command as one line):
sudo wget https://raw.githubusercontent.com/owntracks/tools/master/TLS/generate-CA.sh

Change the permissions of the script and make it executable:
sudo chmod 700 generate-CA.sh

Create the server certificate

Execute the script to create the server certificate files:
sudo ./generate-CA.sh
The script creates the CA (certificate authority) files, the server certificate files, and then uses the CA to sign the certificates. The server certificate files will be created using the hostname of your system. In my case this is “raspberrypi”, yours will probably be different.

Copy ca.crt, [hostname].crt and [hostname].key to the appropriate directories:

sudo cp ca.crt /etc/mosquitto/ca_certificates/
sudo cp raspberrypi.crt /etc/mosquitto/certs/
sudo cp raspberrypi.key /etc/mosquitto/certs/

Make Mosquitto owner of the certificate files:
sudo chown -R mosquitto: /etc/mosquitto/certs/
sudo chown -R mosquitto: /etc/mosquitto/ca_certificates/

Modify the Mosquitto configuration

Open Mosquitto’s default configuration file:
sudo nano /etc/mosquitto/conf.d/default.conf
And add the following lines:
listener 1883

listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/raspberrypi.key
certfile /etc/mosquitto/certs/raspberrypi.crt
require_certificate true

Save the changes, then restart Mosquitto:
sudo systemctl restart mosquitto
You can check for probems by reviewing the Mosquitto log file:
tail /var/log/mosquitto/mosquitto.log

Create client certificates

Go back into your home directory
cd ~
Create a new directory for your client certificates:
mkdir clients
chmod 700 clients
cd clients

Generate client certificates (change ‘myclientcertificate’ to something appropriate):
sudo ../certificates/generate-CA.sh myclientcertificate
The client certificate files are now ready to be copied or moved to your client device. You can test them with an app like MQTTBOX (Linux/Mac/PC/Chrome):

IoT server: secure MQTT communication using TLS, testing with MQTTBox
IoT server: secure MQTT communication using TLS, testing with MQTTBox

This post is also available in Dutch.

Add a Comment

Your email address will not be published. Required fields are marked *