Step-by-step Mosquitto MQTT broker installation & SSL configuration
Once we know what is MQTT and how it works, as explained in this post, it’s time to get down to work and install and set up all the software needed to let it work.
Mosquitto MQTT broker installation
1. Installation within Windows OS
This guide will show the steps of how to install the Mosquitto MQTT broker (server) on a Windows operating system.
1.1 Installation packages
You can download the following packages by clicking on each one:
1.2 Installation guide
- Run the downloaded package mosquito-1.6.3-install-windows-x64.exe
- Select the checkbox in order to install the program as a service.
- Choose the default location in c:\Program files\mosquitto
- Copy the following additional files of Mosquitto_1.5.8_Windows_Files inside the installation folder c:\Program files\mosquitto:
• libcrypto-1_1_x64.dll
• libssl-1_1_x64.dll - Start Mosquitto in Windows: To manually start the broker, please open a CMD window in Mosquitto’s default installation folder and type:
mosquitto
To check the installed version and the socket we are using, type the command:
mosquitto -v
2. Install Mosquitto as a server
2.1 Installation guide
- Run the command prompt (CMD) as administrator.
- Run the power shell as administrator.
- Change the installation directory where mosquitto is located (in this case the folder is mos158) and type the following command in the Power Shell:
./mosquitto install
2.2 Manual start
Mosquitto was added but you don’t receive any confirmation and the service has not started but it will run after rebooting.
- Just in case, you can manually start it by typing the following commands in the command prompt (CMD):
sc query mosquitto
sc start mosquito
sc query mosquitto
- Type the following command in the command prompt:
netstat -a
You should see the Mosquitto broker running on port 1883 as shown in the screenshot above.
Another quick test is to try to start it twice in two different command messages.
3 Creating client certifications with MQTT and Mosquitto
3.1 Terminology
• CA: Certificate Authority
• Private Key: Encryption key not shared and needs to be stored safely
• Public Key: Shared Encryption key, does not need to be stored safely.
• Certificate Request: Certificate request for a certificate authority. Like an application of a passport.
3.2 Setting up Mosquitto broker with SSL
The main parameters are:
• quire_certificates: Informs the client if they need to provide a certificate when it is set to true. The default is false.
• use_identity_as_username: When it is predefined to true, it informs the mosquitto not to use the password file but instead taking the username of the certificate.
• crlfile: Create a revocation certificate to revoke a client certificate
3.2.1 Creation of own customer certificates
The client and the server must use the same CA (Certificate Authority) for the client and server certificates and the broker needs to use SSL, the goal of all this is to use an encrypted connection.
Client certificates are created using the same process that you used to create a server certificate:
- Create a client key that is not protected with a password.
- Create a client certificate request using the key.
- Use the CA Key to sign the client’s client certificate from step 2.
3.2.2 «Client private key» creation guide
- Create a key for the CA
Open the CMD and type the command:
openssl genrsa -des3 -out ca.key 2048 - Create a certification for the CA using the CA Key that we created in Step 1
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
As you can see at the end of the screenshot in “common name section”, it shows ws4, it means that the Mosquitto broker is running. - Server key creation
openssl genrsa -out server.key 2048
- Create a certificate request
openssl req -new -out server.csr -key server.key
- Use CA Key to verify the server certificate. This creates the server.crt file
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
Our folder should look like this:
- Copy the ca.crt, server.crt and server.key files to a downstream folder to the mosquitto folder.
Use the ca_certificates folder for the CA certificate and the certs for the server certificate and key. - Copy the CA certificate file “ca.crt” to the client.
- Edit the mosquitto.conf file like this:
- The folder should look like this:
- Private Client Key Creation
Type the following command in the CMD:
openssl genrsa -out client.key 2048
- Create a certificate request and use the client’s private key
Type the following command in the CMD:
openssl req -new -out client.csr -key client.key
The most important thing is the common name. This name is used by the broker to identify the client instead of the username.
- Complete the certificate request by typing the following command in the CMD:
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360
- The client needs the following things in order to use the client’s certificates:
• crt – The Certificate authority certificate
• crt – The client certificate file
• key – The client private key
- To make publications we use the Mosquitto_pub tool using the following command:
mosquitto_pub –cafile C:\ssl\ca.crt –cert C:\ssl\client.crt –key C:\ssl\client.key -d -h 192.168.1.157 -p 8883 -t test -m «hello there»
3.3 Setting up Mosquitto broker without SSL
- Create a file type.txt and enter username and password:
- Converting the password file to encrypt the password by typing the following command in the CMD:
mosquitto_passwd -U passwordfile
- Creating password file by typing the following command in the CMD:
mosquitto_passwd -c passwordfile user
Next, you need to enter a username using the keyboard. - Typing in the CMD:
mosquitto_passwd -b passwordfile user password
LEAD Technologies Inc. V1.01 - Editing the file mosquitto token:
mosquitto –c c:\mos\password.conf
mosquitto –c c:\mos\password.conf –v
View of the file password.conf:
- Reloading the configuration file without rebooting the broker:
- Checking the configuration by typing the following command in the CMD:
Mosquitto_pub –h 192.168.1.206 –u username –P password –t/sensor1 –m test