← Back to team overview

mosquitto-users team mailing list archive

Re: Best practices for tls_set in Python

 

What I didn't realize all along is that there's a concatenated certs file
at */etc/ssl/certs/ca-certificates.crt* (at least on Arch and Ubuntu).
That's what I should've been using from the beginning. Thanks for your help.

-- Jack


On Wed, Jun 12, 2013 at 4:01 PM, Roger Light <roger@xxxxxxxxxx> wrote:

> Hi Jack,
>
> Thanks for the reminder that I'd not replied to this.
>
> You can of course use the certificates that come with your OS and as
> Alexander says they are located in /etc/ssl/certs. You can use the
> "capath" option rather than "cafile" to load them.
>
> Bear in mind that there may be no need for you to use an existing CA
> though. If you control your application at both ends, you can create
> your own certificates with your own CA certificate and key.
>
> Either way, it is common practice to use a intermediate CA as
> described in this bug report:
> https://bugs.launchpad.net/mosquitto/+bug/1189444 As you can see,
> support for this is something that needs fixing.
>
> Another approach is to use the TLS-PSK support, which provides
> encryption without the overhead of using certificates.
>
> Cheers,
>
> Roger
>

References