Certificates for securing the MQTT broker

Setup and configuration
1

Hello to all. I have a problem with the configuration of chirpstack components (gateway-bridge, network-server and application-server) with the mqtt broker.
I would like to create a secure (encrypted) connection with the mqtt broker.
First I tried the basic setup and everything works perfectly.

Now, what I do is:

  1. creation of certificates. So from the terminal I run the commands:
    $ openssl genrsa -des3 -out ca.key 2048
    (set password)
    $ openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
    (I enter the previous password and fill in the CountryName, State or Province, Common Name → IP address where mosquitto runs, 127.24.157.28, etc)
    $ openssl genrsa -out server.key 2048
    $openssl req -new -out server.csr -key server.key
    (Again I fill in the CountryName, State or Province, Common Name → IP address where mosquitto runs, 127.24.157.28, etc)
    $openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
    And copy the files ca.crt, server.crt and server.key in the folder /etc/mosquitto/certs
  1. Go to:
    $ cd /etc/mosquitto/conf.d
    and create a new .con file
    $ nano test.conf
    in this new file I write:

####################
listener 8883
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
require_certificate true
tls_version tlsv1.2
#####################

Now how should I configure the chirpstack components (gateway-bridge, network-server and application server) so that they can communicate with the broker?

2

I tried to do this, but with no success (or almost):

  1. I created the certificates for the client
    $openssl genrsa -out client.key 2048
    $openssl req -new -out client.csr -key client.key
    (I fill in all the fields by entering a “random value”, for example “goodbye” in the common name CN)
    $openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

  2. Now to see if everything works, I run the MQTT.fx program on a windows machine (connected to the same local network as ubuntu). I insert the ca.crt, client.crt and client.key certificates. Then from ubuntu, I start mosquitto (with the test.con configuration) by running the command:
    $ mosquitto -v -c /etc/mosquitto/conf.d/test.conf
    I see the message that is listening on port 8883, and from windows I connect to the broker with the MQTT.fx program (configured with the previous certificates) and everything works.

But now to put these certificates (ca.crt, client.crt and client.key) in chirpstack modules, for example in the network-server, what I do is:

  1. Open the chirpstack-network-server.toml file and write in:

[network_server.gateway.backend]
type=“mqtt”
server=“ssl://172.24.157.28:8883”
username=" "
password=" "
client_id=" "
ca_cert=“path/ca.crt”
tls_cert=“path/client.crt”
tls_key=“path/client.key”

But it does not work. How is it possible?