There are no real guides on on how to secure the MQTT broker by establishing SSL/TLS. At least not for the lesser experienced developers. I hope that we can get some answers on this thread, and maybe it will also help others in the future, who will end up with same questions as I have now.

For the kerlink ifemtocell gateway this is the only description, which I could find on

For me this is no help at all. Of course it helps me to figure out where the configuration file is, but what difference does that make, if I have no idea on what to configure on the configuration file.

I have been reading up on what to do, and found this guide:, which guides you to create certificate and key:

  • ca.crt
  • ca.key
  • server.crt
  • server.key

And we have these 4 fields which are all connected to a MQTT Broker on the server:

  • Loraserver
  • Lora-App-Server
  • Lora-Gateway-Bridge
  • Gateway


This means that in plain text the toml files will look like this:

  • Gateway:

    • server=“ssl://hostname:8883”
    • ca_cert="/user/keys/ca.crt"
  • Loraserver:

    • server=“ssl://localhost:8883”
    • ca_cert="/etc/mosquitto/certs/server.crt"
  • Lora-app-server:

    • server=“ssl://localhost:8883”
    • ca_cert="/etc/mosquitto/certs/server.crt"
  • Lora-gateway-bridge

    • server=“ssl://”
    • ca_cert="/etc/mosquitto/certs/server.crt"

Question: Is the above the correct way to encrypt the communication between the MQTT broker?

1 Like

You could also consider terminating TLS in front of MQTT. We prefer doing it via an Amazon ELB or Nginx (Kubernetes).

Thanks for the response @bconway. Wont it be sufficient just to do as I am asking?

You also need to configure mosquito. Specifically from Step 3 from this URL:

Step 3 — Configuring MQTT SSL

To enable SSL encryption, we need to tell Mosquitto where our Let’s Encrypt certificates are stored. Open up the configuration file we previously started:

sudo nano /etc/mosquitto/conf.d/default.conf

Paste in the following at the end of the file, leaving the two lines we already added:


. . .
listener 1883 localhost

listener 8883
certfile /etc/letsencrypt/live/
cafile /etc/letsencrypt/live/
keyfile /etc/letsencrypt/live/

Again, be sure to leave a trailing newline at the end of the file.