MQTT Broker secure setup
Copyright (c) 2019 Warren Taylor.
Here are the basics of how to install, configure, and secure the “Mosquitto” MQTT Broker on an already properly configured and running installation of OpenWRT. However, the MQTT Broker can run on any computer on a local area network (LAN). You could even run it on a Raspberry PI if performance isn’t a strict requirement. So the following instruction should be adaptable to most modern operating systems.
The following documentation in no way guarantees a secure system.
Install Mosquitto Broker and Client
With ssh (or similar) log into your OpenWRT router.
opkg install mosquitto-ssl mosquitto-client-ssl libmosquitto-ssl
Create "mosquitto" user if it does not already exist
useradd -M mosquitto
usermod -L mosquitto
Create a directory to securely hold your certificates
(Keys and Certificates can be generate on any computer as long as the required files are securely copied to the server and all keys are securely stored.)
chmod go-rwx /root/mosquitto
chown mosquitto:mosquitto /root/mosquitto
Creating the MQTT Keys and Certificates
The documentation below talks a lot about Keys, Certificates, Certificate Authorities, etc... Rather than trying to rewrite the very good documentation others have already put a great deal of effort into, I refer you to some of their work:
NEVER use the same key and certificate to secure more than one device. If one device becomes compromised then all devices secured with the same key and certificate are also compromised.
When generating your credentials it is important to use different subject parameters for your CA, server and client certificates.
Every time you are prompted for the CN (Common Name), enter your same server hostname. If you don't know your exact hostname then run something like:
uci show system
Create an X509 CA key and certificate for self-signing
(Determine and securely store a PEM Pass Phrase, which is used to protect your CA Key)
openssl req -new -x509 -days 365 -extensions v3_ca -keyout mosq_ca.key -out mosq_ca.crt -subj "/C=CA/ST=BC/L=your-city/O=ca.your-domain.com/OU=ca/CN=your-hostname/emailAddressemail@example.com"
- C - Country
- ST - State
- L - City
- O - Organization
- OU - Organization Unit
- CN - Common Name (eg: the main domain the certificate should cover)
- emailAddress - main administrative point of contact for the certificate
openssl x509 -in mosq_ca.crt -noout -text
Generate the MQTT Server private key
openssl genrsa -out mosq_serv.key 2048
Generate the MQTT Server self-signed certificate
openssl req -new -key mosq_serv.key -out mosq_serv.csr -subj "/C=your-country/ST=your-state/L=your-city/O=server.your-domain.com/OU=server/CN=your-hostname/emailAddressfirstname.lastname@example.org"
Generate the CA signed certificate to use in the MQTT Mosquitto Server
openssl x509 -req -in mosq_serv.csr -CA mosq_ca.crt -CAkey mosq_ca.key -CAcreateserial -out mosq_serv.crt -days 365
Generate the MQTT Client private key
openssl genrsa -out mosq_client.key 2048
Generate the MQTT Client self-signed certificate
openssl req -new -key mosq_client.key -out mosq_client.csr -subj "/C=your-country/ST=your-state/L=your-city/O=client.your-domain.com/OU=client/CN=your-hostname/emailAddressemail@example.com"
Read more »