SSL/TLS certificates on the MQTT broker and Client should be same?

0
votes

I am trying to setup a Mosca server with SSL/TLS encryption.

Looking at the Mosca wiki at the page https://github.com/mcollina/mosca/wiki/TLS-SSL-Configuration suggests that we will require a private key and a certificate for the broker.

While that page is silent about the the configuration on the client side for the mqtt over SSL/TLS, I found an article by Mattino Collina himself on SSL/TLS configuration on the client side. Here http://www.hivemq.com/blog/mqtt-client-library-mqtt-js

This article states that for mqtts we need to provide a key and a certificate on the client side too. Should they be the same key and certificate that we provided while setting up the broker or different for every client that we connect to the broker?

Are these keys and certificates a way of authenticating the client for the broker?

1
mqttmosquittomosca

1 Answers

1
votes

How many certificates and keys depends on exactly what you are trying to achieve.

If you just need a secure connection then you only need a certificate and private key on the broker. (you may need to supply the CA certificate to the client depending on if you sign your own certificates or if you use certificates signed by recognised public CA).

If you want to uniquely identify the client via SSL then the client will also require it's own unique certificate and matching private key. These will be different from the brokers certificate/key pair, but probably signed by the same CA.