Below, certificates and keys will be created for TLS. Then the misquitto configuration will be edited. Your server will run on localhost:8883 afterwards not localhost:1883.
mkdir /etc/mosquitto/certs
cd /etc/mosquitto/certsUsing password protection and 4096-bit RSA.
openssl genrsa -des3 -out m2mqtt_ca.key 4096openssl req -new -x509 -days 9000 -key m2mqtt_ca.key -out m2mqtt_ca.crtUsing no password and 4096-bit RSA.
openssl genrsa -out m2mqtt_srv.key 4096openssl req -new -out m2mqtt_srv.csr -key m2mqtt_srv.key -subj '/CN=localhost'This is important, so the domain and certificate can be validated.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
IP.2 = ::1
openssl x509 -req -CA m2mqtt_ca.crt -CAkey m2mqtt_ca.key -in m2mqtt_srv.csr -out m2mqtt_srv.crt -days 9000 -CAcreateserial -extfile domain.extUncomment line with setting listener and add the following at the end of the line:
8883
Uncomment line with setting cafile and add the following at the end of the line:
/etc/mosquitto/certs/m2mqtt_ca.crt
Uncomment line with setting certfile and add the following at the end of the line:
/etc/mosquitto/certs/m2mqtt_srv.crt
Uncomment line with setting keyfile and add the following at the end of the line:
/etc/mosquitto/certs/m2mqtt_srv.key
These should be all changes you made just now:
listener 8883
cafile /etc/mosquitto/certs/m2mqtt_ca.crt
certfile /etc/mosquitto/certs/m2mqtt_srv.crt
keyfile /etc/mosquitto/certs/m2mqtt_srv.key
Don't forget to add the CAfile m2mqtt_ca.crt to your MQTT client!