certstrap VS cfssl

So setup a CA (I find certstrap simplifies this), load the CA cert into Mosquitto (cafile). Then you can issue any number of certificates that will allow clients to connect (you don't need to touch the broker config when adding new clients).

git clone https://github.com/square/certstrap cd certstrap git checkout v1.3.0 docker build -t squareup/certstrap . alias certstrap='docker run -i --rm -v $PWD:/out squareup/certstrap'

I like certstrap for this sort of thing, personally. I used to bugger about with OpenSSL but that’s far too real ale these days.

There are many ways to do this but my favorite is Certstrap.

Sounds like the issue is with your certificate itself, perhaps look at something which helps with local certificates management like https://github.com/square/certstrap

If you want to create your own CA, Certstrap by Square is really handy and simple to setup. I use this to generate valid certs for all my internal services (NAS, ESXI, etc).

Because OpenSSL is quite complex to use, we'll use certstrap for generation of certificates, install certstrap from here.

cfssl is kinda outright better version of that.

The Cloudflare SSL tools at https://github.com/cloudflare/cfssl might help. Here's what it shows for one of the example Snake Oil certs:

I've used this in the past and it worked great. https://github.com/cloudflare/cfssl

The first step is to create the source key that represents our user. This key is created using a tool like openssl but another popular tool to use is cfssl, created by Cloudflare. Some folks think cfssl is easier to use, and it definitely looks easier to script. But for this example we will use openssl. You can also choose to create the key using a number of different algorithms. For this example we will use ED25519.

TLS/SSL worked well with client certificates generated by the CFSSL API.

Not sure if relevant but we used tooling from CloudFlare in the past: https://github.com/cloudflare/cfssl