DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • IoT Needs To Get Serious About Security
  • Connecting the Dots: Unraveling IoT Standards and Protocols
  • Building an IoT Security Camera With Raspberry Pi and Render
  • Patch Management in the Age of IoT: Challenges and Solutions

Trending

  • Java Virtual Threads and Scaling
  • Evolution of Cloud Services for MCP/A2A Protocols in AI Agents
  • A Complete Guide to Modern AI Developer Tools
  • How the Go Runtime Preempts Goroutines for Efficient Concurrency
  1. DZone
  2. Data Engineering
  3. IoT
  4. MQTT Security: Securing a Mosquitto Server

MQTT Security: Securing a Mosquitto Server

Learn how to encrypt your data for its transit via MQTT. We'll use Mosquitto MQTT Server for this experiment in IoT protocol security.

By 
Francesco Azzola user avatar
Francesco Azzola
·
Sep. 05, 17 · Tutorial
Likes (5)
Comment
Save
Tweet
Share
50.6K Views

Join the DZone community and get the full member experience.

Join For Free

This post describes how to implement MQTT security. In more detail, we will describe how to secure a Mosquitto MQTT server. As you may already know, MQTT is one of the most important protocols widely used in IoT and IIoT. MQTT is a lightweight, messaging-oriented protocol where an MQTT client exchanges messages through an MQTT server called an MQTT broker. We have covered all these aspects of MQTT in my MQTT protocol tutorial.

In this post, we want to face the MQTT security aspects with a special regard to the aspects related to MQTT Mosquitto security.

Generally speaking, the Internet of Things is the upcoming technological revolution where objects, called smart objects, are connected to the Internet — exchanging data and information. One of the main concerns about IoT is the security aspect. Considering that IoT will impact our everyday lives and these smart objects are able to acquire and collect different kinds of information, security is an important aspect. Some of this information is sensitive (we can think about health data), and it is important to be sure that no one else can use it except the permitted persons and systems.

In this context, it is important to know how to secure the MQTT protocol and how to protect your information. In the next paragraphs, we will analyze the steps we have to follow to secure MQTT using a Raspberry Pi as the MQTT broker.

What Does MQTT Security Mean?

By its nature, MQTT is a plain protocol. All the information exchanged is in plain-text format. In other words, anyone could access to this message and read the payload. Of course, there are several use cases where we want to keep information private and guarantee that it cannot be read or modified during the transmitting process. In this case, there are several approaches we can use to face the MQTT security problem:

  1. Create a VPN between the clients and the server.
  2. Use MQTT over SSL/TSL to encrypt and secure the information between the MQTT clients and MQTT broker.

We will focus our attention on how to create an MQTT over SSL. To make MQTT a secure protocol, we have to follow these steps:

  • Create a private key (CA Key).
  • Generate a certificate using the private key (CA cert).
  • Create a certificate for Mosquitto MQTT server with the key.

The final step is configuring Mosquitto MQTT so that it uses these certificates.

Securing Mosquitto MQTT Server

The first step in this process is creating a private key. Connect to the Raspberry Pi using ssh or a remote desktop as you prefer and open a command terminal. Before starting, it is important you ensure OpenSSL is installed on your Raspberry Pi. If not, you can download it from here.

Before creating the private key, you should create a directory where you store all the certificates you will create. In the terminal, write:

openssl genrsa -out mosq-ca.key 2048


Using this command, we are creating a 2048-bit key called mosq-ca.key. The result is shown in the picture below:

Image title


The next step is creating an X509 certificate that uses the private key generated in the previous step. Open the terminal again and, in the same directory you used to store the private key, write:

openssl req -new -x509 -days365 -key mosq-ca.key -out mosq-ca.crt


In this step, you have to provide different information before creating the certificate as shown in the picture below:

Image title

Creating the MQTT Server Certificate

Once the private key and the certificate are ready, we can move on and create the MQTT server certificate and private key:

openssl genrsa -out mosq-serv.key 2048


Then the server certificate. During this step, we have to create a CSR (Certificate Signing Request). This certificate should be sent to the Certification authority that, after verifying the author identity, returns a certificate. In this tutorial, we will use a self-signed certificate:

openssl req -new -key mosq-serv.key -out mosq-serv.csr


As you can see, we have used the private key generated in the step before. Finally, we can create the certificate to use in our MQTT Mosquitto Server:

openssl x509 -req -in mosq-serv.csr -CA mosq-ca.crt -CAkey mosq-ca.key -CAcreateserial -out mosq-serv.crt -days 365 -sha256


All done! We have completed the steps necessary to secure our MQTT server. You can verify your certificate:

openssl x509 -in mosq-serv.crt -noout -textjavascript:void(0)


Now you should see the certificate.

How to Configure MQTT Mosquitto Server to Secure MQTT

Once the certificates are ready, we have to configure MQTT Mosquitto Server so that it can use these certificates. The certificates we have to use are:

  • mosq-ca.crt
  • mosq-serv.crt
  • mosq-serv.key

Locate the mosquitto.conf file that holds all the configuration parameters and add the following lines:

listener 8883
cafile /home/pi/ssl-cert-mosq/mosq-ca.crt
certfile /home/pi/ssl-cert-mosq/mosq-serv.crt
keyfile /home/pi/ssl-cert-mosq/mosq-serv.key


The path /home/pi/ssl-cert-mosq is the path where you stored your certificate. Moreover, we change the default Mosquitto MQTT port to 8883.

Now you have to stop and restart Mosquitto MQTT so that it can read the new configuration file:

sudo service mosquitto stop/start


That's all. Now our MQTT protocol is secure and encrypted. The last step is testing the configuration and the MQTT server.

MQTT Security Testing Mosquitto Over SSL/TSL

In this step, we will verify if the connection is correctly configured. For this purpose, we use MQTT.fx, a Java-based MQTT client. After you install it, we have to create a new profile providing all the information as shown in the picture below:

Image title

Notice that we have enabled the SSL/TSL configuration, providing the mosq-ca.crt creating during the previous steps.

Finally, we can connect to the MQTT Mosquitto server:

Image title

Click on Connect. You will notice that the MQTT client will establish the connection to the MQTT broker as you can check in the log tab.

Now it is time to test if our client gets the message. Select the subscribe menu and subscribe the MQTT client to a topic (choosing a topic name).

On the Raspberry Pi side, let's send a message on the same channel:

mosquitto_pub -p 8883 -t "test" -cafile mosq-ca.crt -m "Hello MQTT" -d -h 192.168.1.8


The result is shown in the picture below:

Image title

On the subscriber side, we have:

Image title

As you can see, we received the message sent by the publisher.

MQTT security IoT raspberry pi

Published at DZone with permission of Francesco Azzola, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • IoT Needs To Get Serious About Security
  • Connecting the Dots: Unraveling IoT Standards and Protocols
  • Building an IoT Security Camera With Raspberry Pi and Render
  • Patch Management in the Age of IoT: Challenges and Solutions

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!