1. Mosquitto Openssl Version
  2. Cached

This tutorial’s intention is to make life easier for those, who would like to enable TLS on their mosquitto.
I struggled a lot and gave up many times until I finally merged information from various sites to the one which works for me.
(That’s no guarantee that it works for your specific setup though

./mosquitto -c./././mosquitto.conf: mosquitto version 1.3.4 (build date 2014-09-15 16:) starting: Config loaded from. To create these certificates and keys we use the opensslsoftware. For windows you will find the install download files here. On Linux you can install openssl using: sudo apt-get install openssl Although the commands to create the various certificates and keys are given in this Mosquitto manual page. Here is a quick snapshot: There is a problem with the page because openssl no longer comes with a CA certificate,.

In general it’s required to generate some certificate files on the host running mosquitto (actually all the activities below have been done on my raspberry 2 running openHABian and OH2.

It might be trivial for most of the people here, but I am sure that there must be some out there who had similar problems than I had.

Mosquitto Openssl Version

So you need:

  1. Mosquitto running (it ran for quite a while on port 1883 without TLS).
  2. Generate server certificates (e.g. ca.crt see below)
  3. Copy the files to the mosquitto subdir (see below as well)
  4. Activate TLS on mosquitto
  5. Encrypt and transfer the files …otrp and ca.crt to the phone
  6. Activate TLS in owntracks (activate iPhone.otrp with passphrase)

Actually most of the documentation is a patchwork from multiple sites, like
(By the way, thanks to the creators of the sources mentioned above!)

So let‘s start with rockingdlabs first (I did not put all steps here so please check the site as well).:

Before step 2 (Setup a CA and generate the server certificates):
HOSTLIST='localhost yourhostname '
(I am not really sure if this is required, but keeping the problems in mind I had, it’s pretty likely: Those were that I haven’t been able to connect from outside my LAN.
Maybe some expert can confirm or refute this)

Use for certificate generation after change above
You will get:
ca.crt, ca.key,, myhost.crt, myhost.csr, myhost.key
(ca.crt will be needed on your phone later and the .key needs to be kept in a secret place).

Copy the files:
sudo cp ca.crt /etc/mosquitto/ca_certificates/
sudo cp myhost.crt myhost.key /etc/mosquitto/certs/


Adjust mosquito conf accordingly:
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/myhost.crt
keyfile /etc/mosquitto/certs/myhost.key

Connection without TLS is already ok:
sudo mosquitto_sub -d -h -p 1883 -t ‘owntracks/#’ -d
(please make sure to open 1883 on your router)

Generate client certificates (see also Step 4 on the website mentioned above):
sudo openssl genrsa -out iPhone.key 2048
sudo openssl req -new -out iPhone.csr -key iPhone.key -subj '/CN=iPhone/'
sudo openssl x509 -req -in iPhone.csr -CA ca.crt -CAkey ca.key -CAserial ./ -out iPhone.crt -days 3650 -addtrust clientAuth

This will create the following files:
iPhone.crt, iPhone.csr, iPhone.key

Connection is ok (localhost):
sudo mosquitto_sub -d -h localhost -p 8883 --tls-version tlsv1 --cafile /etc/mosquitto/ca_certificates/ca.crt --cert iPhone.crt --key iPhone.key -t ‘owntracks/#’ –d

as well as from outside:
sudo mosquitto_sub -d -h -p 8883 --tls-version tlsv1 --cafile /etc/mosquitto/ca_certificates/cart --cert iPhone.crt --key iPhone.key -t ‘owntracks/#’ –d

To transport the phone related certificate files safely:
openssl pkcs12
-in iPhone.crt
-inkey iPhone.key
-name “NCO’s certificate/key”
-out iPhone.otrp

This will ask for a passphrase you need to put into your phone later (TLS Settings -> Client certificate -> passphrase)

Transfer the ca.crt and iPhone.otrp to your phone.
The otrp file can be imported into owntracks directly.
The ca.crt needs to be installed as a certificate on the phone as well.


That should be it to be able to connect with TLS to your mosquitto broker.
Hope it helps.

For those who would like to check out Let’s encrypt as alternative certificates please check out a short hint from @rlkoshak:


Its really simple actually. Follow the instructions in the Nginx reverse proxy tutorial to acquire the certs. Then use the paths to the files in /etc/letsencrypt/live/<your domain> for the server certs and key. The 'fullchain.pem' contains the CA.cert I believe, but since LetsEncrypt is already a trusted CA, you shouldn't have to import the CA.crt on the client. Note that this is only for setting up TLS with any client. The generation of the client certs I believe are still required. And I'…

Version 2.0.2 and 2.0.1 of Mosquitto has been released. These are bugfix releases.

Version 2.0.2 fixes a build regression introduced in 2.0.1 when websocketssupport was enabled on non-Linux systems.

The 2.0.1 changes are below.


  • Fix websockets connections on Windows blocking subsequent connections. Closes #1934.
  • Fix DH group not being set for TLS connections, which meant ciphers using DHE couldn't be used. Closes #1925. Closes #1476.
  • Fix websockets listeners not causing the main loop not to wake up. Closes #1936.

Client library


  • Fix DH group not being set for TLS connections, which meant ciphers using DHE couldn't be used. Closes #1925. Closes #1476.


  • Fix mosquitto_passwd -U


  • Fix cjson include paths.
  • Fix build using WITH_TLS=no when the openssl headers aren't available.
  • Distribute cmake/ and snap/ directories in tar.
Coments are closed

Most Viewed Posts

  • Tableau Public Training
  • Merge Contents Of Cells In Excel
  • Google Drive File Stream Pc
  • Ipados 14.3

Scroll to top