IoT server: secure MQTT communication using TLS
In the previous blog post “IoT server: Mosquitto and Node Red on Raspberry Pi” we installed the Mosquitto MQTT broker and restricted access by requiring passwords for the clients. But for really secure MQTT traffic, we need to do a bit more.
Secure MQTT traffic using self signed TLS certificates
By default, all data travels across the network unencrypted. On untrusted networks this is a security risk, because sensitive data like passwords can be easily intercepted. In this post we implement secure communications by encrypting it using self signed TLS certificates.
Download the certificate creation script
To make creation of the certificates a bit easier, we will use a script from OwnTracks. Log in to your Raspberry Pi and make sure the home directory is the current directoy:
cd ~
Create a new directory that is not accessible to other users on the system:
mkdir certificates
chmod 700 certificates
cd certificates
Download the script from Github using wget (type/paste this command as one line):
sudo wget https://raw.githubusercontent.com/owntracks/tools/master/TLS/generate-CA.sh
Change the permissions of the script and make it executable:
sudo chmod 700 generate-CA.sh
Create the server certificate
Execute the script to create the server certificate files:
sudo ./generate-CA.sh
The script creates the CA (certificate authority) files, the server certificate files, and then uses the CA to sign the certificates. The server certificate files will be created using the hostname of your system. In my case this is “raspberrypi”, yours will probably be different.
Copy ca.crt, [hostname].crt and [hostname].key to the appropriate directories:
sudo cp ca.crt /etc/mosquitto/ca_certificates/
sudo cp raspberrypi.crt /etc/mosquitto/certs/
sudo cp raspberrypi.key /etc/mosquitto/certs/
Make Mosquitto owner of the certificate files:
sudo chown -R mosquitto: /etc/mosquitto/certs/
sudo chown -R mosquitto: /etc/mosquitto/ca_certificates/
Modify the Mosquitto configuration
Open Mosquitto’s default configuration file:
sudo nano /etc/mosquitto/conf.d/default.conf
And add the following lines:
listener 1883
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/raspberrypi.key
certfile /etc/mosquitto/certs/raspberrypi.crt
require_certificate true
Save the changes, then restart Mosquitto:
sudo systemctl restart mosquitto
You can check for probems by reviewing the Mosquitto log file:
tail /var/log/mosquitto/mosquitto.log
Create client certificates
Go back into your home directory
cd ~
Create a new directory for your client certificates:
mkdir clients
chmod 700 clients
cd clients
Generate client certificates (change ‘myclientcertificate’ to something appropriate):
sudo ../certificates/generate-CA.sh myclientcertificate
The client certificate files are now ready to be copied or moved to your client device. You can test them with an app like MQTTBOX (Linux/Mac/PC/Chrome):
