Skip to content

Secure MQTT Integration

Document Context

  • Purpose: Complete guide for implementing secure MQTT integration with whatwatt Go using TLS encryption, mutual authentication, and certificate-based security
  • When to use: Production deployments requiring encrypted communication, enterprise security requirements, regulated environments, sensitive data protection
  • Prerequisites: Linux system administration, certificate management, MQTT broker configuration, network security concepts, OpenSSL command usage
  • Related to: Certificate generation, Mosquitto broker setup, TLS configuration, device provisioning, production security hardening
  • Validates against: Complete secure MQTT workflow with real whatwatt Go device and Mosquitto 2.0.21+ broker setup

Key Facts

  • License: Plus or higher required because Secure MQTT uses the built-in MQTT client
  • Security level: Mutual TLS authentication with ECDSA-P256 certificates
  • Broker requirements: Mosquitto 2.0.21+ with TLS support enabled
  • Certificate types: CA root, server certificate, client certificate for device
  • Authentication method: Certificate-based mutual authentication (no username/password)
  • Encryption: TLS 1.2+ with strong cipher suites
  • Network validation: IP address-based (hostname validation disabled for flexibility)
  • File permissions: Strict certificate file permissions for security
  • Production ready: Includes hardening recommendations and security best practices

Scope

This chapter shows how to connect a whatwatt Go device to a local Mosquitto 2.0.21 broker using ECDSA certificates, mutual-TLS, and IP addresses (no hostname validation). All certificates are stored in /etc/mosquitto/certs/. Optional production-grade notes are included at the end.

Requires Plus license

Secure MQTT requires an active Plus or higher license. On FREE devices you can still configure certificates and MQTT settings, but the firmware does not activate the MQTT client.

Prerequisites

Component Version / Notes
Ubuntu/Debian fresh install, sudo user
Mosquitto 2.0.21+ (apt repo)
OpenSSL 3.x (included)
whatwatt Go firmware ≥ 1.7.6, REST API enabled, Plus or higher license
Python ≥ 3.8 (for provisioning script)

Overview

The secure MQTT setup involves:

  1. Install Mosquitto - MQTT broker with TLS support
  2. Generate certificates - ECDSA-P256 certificate chain (CA, server, client)
  3. Deploy certificates - Install certificates with proper permissions
  4. Configure Mosquitto - Enable TLS listener with mutual authentication
  5. Test connection - Verify setup with command line tools
  6. Provision device - Configure whatwatt Go via REST API
  7. Hardening - Production security recommendations

Security Note

This setup uses mutual TLS authentication for maximum security. Both the broker verifies the client certificate, and the client can verify the broker certificate.