MQTT Security: Securing Mosquitto Server

This post describes how to implement MQTT security. In more details, we will describe how to securing Mosquitto MQTT server. As you may already know MQTT is one of the most important protocols widely used in Internet of things and in Industrial Internet of things. MQTT is a lightweight messaging oriented protocol where MQTT client exchanges messages through an MQTT server called MQTT broker. We have covered all the aspects about MQTT in a previous post named “MQTT protocol tutorial“.

In this post, we want to face the MQTT security aspects with a special regard to the aspects related to MQTT Mosquitto security.

Generally speaking, the Internet of things is the upcoming technological revolutions where objects, called smart objects, are connected to the internet exchanging data and information. One of the main concerns about Internet of things is the security aspect. Considering that IoT will impact our everyday lives and these smart objects are able to acquire and collect different kinds of information the security is an important aspect. Some of this information is sensitive (we can think about health data) and it is important to be sure that no one else can use it except the allowed persons and systems.

In this context, it is important to know how to securing MQTT protocol and how to protect the information. In the next paragraphs, we will analyze the steps we have to follow to secure MQTT using Raspberry Pi as MQTT broker.

What does MQTT security mean?

By its nature, MQTT is a plain protocol that is all the information exchanged are in plain-text format. In other words, everyone could access to this message and read the payload. This could not be a problem if MQTT client and MQTT broker exchange not sensible information. Anyway, they are several use cases where we want to keep the information private and guarantee that it can not be read or modified during the transmitting process. In this case, there are several approaches we can use to face the MQTT security problem:

  1. Create a VPN between the clients and the server
  2. Use MQTT over SSL/TSL that encrypts and secure the information between the MQTT clients and MQTT broker

We will focus our attention on how to create an MQTT over SSL. To make MQTT a secure protocol we have to follow these steps:

  • Create a private key (CA Key)
  • Generate a certificate using the private key (CA cert)
  • Create a certificate for Mosquitto MQTT server with the key

The final step is configuring Mosquitto MQTT so that it uses these certificates.

You can learn more about MQTT and how to use it in IoT project reading how to use MQQT to control remote devices

Securing Mosquitto MQTT server

The first step in this process is creating a private key. Connect to the Raspberry Pi using ssh or a remote desktop as you prefer and open a command terminal. Before starting is important you check OpenSSL is installed in your Raspberry Pi, otherwise, you have to download from here.

Before creating the private key, you should create a directory where you store all the certificates you will create. In the terminal write:

openssl genrsa -out mosq-ca.key 2048

Using this command, we are creating a 2048 bit called mosq-ca.key. The result is shown in the picture below:


mosquitto ssl ca key


The nex step is creating a X509 certificate that uses the private key generated in the previous step. Open the terminal again and in the same directory you used to store the private key write:

openssl req -new -x509 -days365 -key mosq-ca.key -out mosq-ca.crt

In this step, you have to provide different information before creating the certificate as shown in the picture below:


mosquitto ssl security

Creating the MQTT server certificate

Once the private key and the certificate are ready, we can move on and create the MQTT server certificate and private key:

openssl genrsa -out mosq-serv.key 2048

Then the server certificate. During this step, we have to create a CSR (Certificate Signing Request). This certificate should be sent to the Certification authority that after verifying the author identity returns a certificate. In this tutorial, we will use a self-sign certificate:

openssl req -new -key mosq-serv.key -out mosq-serv.csr

As you can notice we have used the private key generated in the step before. Finally, we can create the certificate to use in our MQTT Mosquitto Server:

openssl x509 -req -in mosq-serv.csr -CA mosq-ca.crt -CAkey mosq-ca.key -CAcreateserial -out mosq-serv.crt -days 365 -sha256

All done! We have completed the steps necessary to secure our MQTT server. You can verify your certificate writing:

openssl x509 -in mosq-serv.crt -noout -text

Now you should see the certificate.

How to make MQTT secure using SSL/TSL Click To Tweet


How to configure MQTT Mosquitto Server to secure MQTT

Once the certificates are ready, we have to configure MQTT Mosquitto server so that it can use these certificates. The certificates we have to use are:

  • mosq-ca.crt
  • mosq-serv.crt
  • mosq-serv.key

Locate the mosquitto.conf file that holds all the configuration parameters and add the following lines:

listener 8883
cafile /home/pi/ssl-cert-mosq/mosq-ca.crt
certfile /home/pi/ssl-cert-mosq/mosq-serv.crt
keyfile /home/pi/ssl-cert-mosq/mosq-serv.key

where the path /home/pi/ssl-cert-mosq is the path where you stored your certificate. Moreover, we change the default Mosquitto MQTT port to 8883.

Now you have to stop and restart Mosquitto MQTT so that it can read the new configuration file:

sudo service mosquitto stop/start

That’s all. Now our MQTT protocol is secure and encrypted. The last step is testing the configuration and the MQTT server.

MQTT Security testing Mosquitto over SSL/TSL

In this step, we will verify if the connection is correctly configured. To this purpose, we use MQTT.fx a java based MQTT client. After you installed it, we have to create a new profile providing all the information as shown in the picture below:

mosquitto ssl client

Notice that we have enabled the SSL/TSL configuration providing the mosq-ca.crt creating during the previous steps.

Finally, we can connect to the MQTT Mosquitto server:

mqtt ssl profile

clicking on connect. You will notice that the MQTT client will establish the connection to the MQTT broker as you can check in the log tab.

Now it is time to test if our client gets the message. Select the subscribe menu and subscribe the MQTT client to a topic (choosing a topic name).

On the Raspberry Pi side lets us send a message on the same channel:

mosquitto_pub -p 8883 -t "test" -cafile mosq-ca.crt -m "Hello MQTT" -d -h

The result is shown in the picture below:

mqtt publish over ssl

On the subscriber side we have:

mqtt encrypted message

As you can notice, we received the message sent by the publisher.


At the end of this post, you gained the knowledge about how to handle MQTT security configure Mosquitto MQTT over SSL/TSL.

More posts...

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.