Mosquitto SSL/TLS Certificate

Server:
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3655 -key ca.key -out ca.crt -subj "/C=RO/ST=CLUJ/L=Cluj-Napoca/O=Universitatea Tehnica din Cluj-Napoca/OU=Departamentul de Electrotehnica si Masurari/CN=193.226.5.178/emailAddress=Florin.Dragan@ethm.utcluj.ro"

openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/C=RO/ST=CLUJ/L=Cluj-Napoca/O=Universitatea Tehnica din Cluj-Napoca/OU=Departamentul de Masurari Electrice/CN=193.226.5.178/emailAddress=Florin.Dragan@ethm.utcluj.ro"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3655

Client:
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=RO/ST=CLUJ/L=Cluj-Napoca/O=Universitatea Tehnica din Cluj-Napoca/OU=Caminele din Marasti/CN=193.226.5.178/emailAddress=Florin.Dragan@ethm.utcluj.ro"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3655 -extfile filename

openssl verify -CAfile ca.crt server.crt


Overview of Steps
Create a CA key pair
Create CA certificate and use the CA key from step 1 to sign it.
Create a broker key pair don’t password protect.
Create a broker certificate request using key from step 3
Use the CA certificate to sign the broker certificate request from step 4.
Now we should have a CA key file,a CA certificate file, a broker key file, and a broker certificate file.
Place all files in a directory on the broker e.g. certs
Copy the CA certificate file to the client.
Edit the Mosquitto conf file to use the files -details below
Edit the client script to use TLS and the CA certificate. -details below
 Note: when entering the country, organisation etc in the form don’t use exactly the same information for the CA and the server certificate as it causes problems. Here is a screen shot of a comment from a reader that brought it to my attention: