These are some rough notes for deploying a test/dev local CA, a server key/cert, and a client key/cert. The intention is to provide a quick and dirty (don't use in production) local CA with one server and one client.
Follow the install guide for easy-rsa (https://github.com/OpenVPN/easy-rsa)
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req localhost
!!Notice the 'server' param!!
./easyrsa sign-req server localhost
./easyrsa gen-req user001
!!Notice the 'client' param!!
./easyrsa sign-req client user001
openssl rsa -in crypted.key -out decrypted.key
easy-rsa crt files contain both the text and cert parts. For ease of use, copy just the PEM key part to a new file.
HAProxy requires the server cert/key to be in PEM format. Be sure the key is decrypted and the cert is extracted from the file genereated.
cat ../private/localhost.key ../certs/localhost.crt ../certs/ca.crt > localhost.pem
add lines to /etc/mosquitto/mosquitto.conf
listener 8884
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/mqtt.kodea.no.crt
keyfile /etc/mosquitto/certs/mqtt.kodea.nokey.key
require_certificate true
use_identity_as_username true
crlfile /etc/mosquitto/certs/crl.pem