Configure Mosquitto Bridge With SSL Encryption- Examples

It is very likely that the connection between the two brokers will be encrypted.

The Mosquitto broker (server)  provides two methods of using SSL encryption on a bridged connection

  • Certificate encryption
  • PSK encryption

In this tutorial we will be configuring a secure bridged connection using both methods.

If you are new to certificates then you should read this tutorial on SSL encryption and certificates before continuing.

Broker Setup Overview

in this tutorial we will bridge topics on broker 1 to broker 2.


Broker 1 will be configured as bridge and broker 2 will operate as a normal broker, and will not require any configuration for bridging.

 SSL Encryption Using Certificates

I’ve configured broker 2 to require encryption and also to listen on port 8883.

Notice the configuration is for an extra listener, and not for a bridge.

Here is the relevant part of the config file on broker 2.


Now broker1 needs to be configured as a bridge.

The setup is almost identical to a normal bridge connection except we need to add a line for the CA file and also change from using an IP address ( to a name (ws4).

This is because my server key on broker 2 was generated with the name ws4. See the Mosquitto ssl tutorial for details.


Note: No server key is needed on broker 1 as it is functioning as an SSL client.

PSK Encryption Overview

The mosquitto broker supports PSK encryption which can be used instead of certificate based encryption.

In cryptography, a pre-shared key (PSK) is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. –Wiki

This is the same type of encryption used on Wifi Networks.

The key used in Mosquitto is restricted to hexi decimal numbers i.e 0-9,A,B,C,D,E,F

You can generate the key using online key generators, random number generators or just make one up.

For testing purposes it is easier to make one up.

For real world deployments a security policy would need to be created and used.

Note: PSK encryption uses SSL just like certificate based encryption.

PSK encryption isn’t supported on the Paho Python client, and so cannot be used to encrypt a client connection.

Configuring PSK on a Mosquitto Bridge Connection

Using the same setup as before. Broker 1 is configured as a bridge and broker 2 is a normal broker.

On broker 2 you need to add an extra listeners.

There are two settings that you need to add

  • psk_hint
  • psk_file

The psk_hint option is very important as this is what tells the broker to use PSK.

The actual value that you enter doesn’t appear important for mosquitto but may be in other PSK implementations.

There can only be one psk_file entry.

Below is sample configuration.


The psk file is configured for two connections and looks like this.


Broker 1 Configuration

Each bridge connection starts with the connection name. Below we see two connections called bridge-01 and bridge-02.

The first connection connects using the IP address and port 8883.

If you look at the broker 2 configuration above, it is configured to listen on port 8883 and use PSK encryption.

The bridge identity must match an entry in the PSK file on the destination broker (broker 2), and the Bridge_PSK key must match the key for that identity.

If you examine the screen shot of the PSK file above you should see they do match.


Note: I’ve used similar names for the bridge connection(bridge-01) and the bridge identity (bridge1). They are however two different settings and could have been totally different.

Testing The Connections

When you connect the bridge there is actually no indication that a secure connection is being used provided that the configuration is OK.

However you will get an indication if you have a configuration problem.

The screen shot below show the connection problem that I caused by using a mismatched key for connection bridge-02.


Questions and Answers

Q- What is the PSK Hint?

A- See this stackoverflow response

Q- Is PSK less secure than using a certificate?

A- Probably yes but opinions seem to vary- see here. PSK is however much easier to implement than certificates.


Related Tutorials

Please rate? And use Comments to let me know more
[Total: 1    Average: 4/5]


  1. Hi,

    First of all, well done for this tutorial.

    I tried the SSL configuration on my main broker and it works well.
    I can publish with mosquitto_pub from the same PC or from another one on the same network.

    Unfortunately, when I want to launch a bridge from the other PC I have this problem:
    “ssl handshake failure” (on the main broker)

    I’m using the same PC and the same ca.crt as with the mosquitto_pub so I don’t understand how the handshake could fail.

    Did you encounteredthis problem before?

    1. Hi
      I would suspect the configuration on the new broker. The second broker is acting like a client for the first broker so it is set up similar to a client as regards ssl.
      If you still have probs send me a copy of the config file on each broker and I’ll take a look.(

Leave a Reply

Your email address will not be published. Required fields are marked *