Reputation: 1
Mqtt over TLS: Reasons for using self signed cert?
I have come across various mqtt over tls howto's over the internet and for some reason every single one of them is using a self signed broker certificate. is there a reason for this?
Would it not be better to create a csr and send it to a trusted CA to sign? Does self signing have any advantages in terms of security?
Some links that I came across for mqtt over tls certs:
https://forums.raspberrypi.com/viewtopic.php?t=287326
Additionally, I'd have to keep a local copy of a broker cert if it is self-signed, but if it is signed by a trusted CA, I could directly connect to the broker (based off /etc/ssl/certs). Is that a correct statement?
Upvotes: 0
Views: 128
Answers (1)
Reputation: 59658
The guides use self signed certs or certs issued from a private CA because they are free, can be issued for raw IP addresses (including RFC1918 ranges)
While LetsEncrypt (and some others) makes it easy and free to get "real" certs for machines with public hostnames (and usually publicly routable) the easiest routes depend on also having a webserver up and running on the same hostname (or full control over the DNS entries for a given domain). They also won't issue you a cert for a raw IP address.
So as a PoC or for an totally internal setup self signed certs can be a requirement, but for anything internet facing, especially if going to be used by others or by devices that it's hard to import a private CA cert, then using certs issued by a public CA is usually best.
Upvotes: 1
Related Questions
- Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate
- create a trusted self-signed SSL cert for localhost (for use with Express/Node)
- ESP32 MQTT with TLS not working with NATS MQTT
- error while using Self signed ssl certificate for Mqtt broker
- MQTT broker Mosquitto Error with TLS configuration
- How to install third party server's ssl certificate in Azure Trusted Root Store for WebApp?