is key and cert required with CA for SSL MQTT

Question

I started mosquitto broker with SSL using CA,cert and key when I am trying to connect to broker the library in elixir tortoise is asking me to put the key and cert with certifi. When I looked into certifi it is showing the list of CA can we use this self signed?

Tortoise.Supervisor.start_child(
    client_id: "smart-spoon",
    handler: {Tortoise.Handler.Logger, []},
    server: {
      Tortoise.Transport.SSL,
      host: host, port: port,
      cacertfile: :certifi.cacertfile(),
      key: key, cert: cert
    },
    subscriptions: [{"foo/bar", 0}])

Should I put the key and cert and client side?? I think that is very bad as key is secret please help me understand how it works

score 1 · Accepted Answer · answered May 14 '19 at 07:58

1

For "normal" SSL connections where the client wants to prove the broker is who they claim to be the client should only require a list of CA certificates to check the certificate presented by the broker. For this case you should normally leave the key and cert fields empty

If you are doing mutually authenticated SSL where the client is also proving to the broker who they are then you need to supply the client with it's own certificate/key (not the certificate/key from the broker but probably[but not required] signed by the same CA)

answered May 14 '19 at 07:58

hardillb

54,545
11
67
105

I cannot sign the certificate by CA right? Can I make this all work using self signed certs. and add it to certifi? – Yugandhar Chaudhari May 14 '19 at 08:25
*If you are doing mutually authenticated SSL* here are you talking about the client side ssl auth?? – Yugandhar Chaudhari May 14 '19 at 08:38
1

Yes, `mutually authenticated SSL` is about client authentication. As for self signed certs, just replace `certifi.cacertfile()` with the brokers certificate – hardillb May 14 '19 at 08:58

is key and cert required with CA for SSL MQTT

1 Answers1