MQTT CLI: The private key could not be recognized

I’ve created a rootCA.crt, client.crt and client.key for accessing my HiveMQ CE over port 8883.

Using MQTT.fx, the above mentioned files work correctly:

But the same files with MQTT CLI don’t work. MQTT CLI is running on WSL2>Debian. I get the error

mqtt> con -h broker.MYSERVER.xx -p 8883 -V 3 --verbose --secure --cafile /mnt/c/Users/XXXXX/Downloads/certs/rootCA.crt --cert /mnt/c/Users/XXXXX/Downloads/certs/Passwordless/client.crt --key /mnt/c/Users/XXXXX/Downloads/certs/Passwordless/client.key

Invalid value for option '--key': cannot convert '/mnt/c/Users/XXXXX/Downloads/certs/Passwordless/client.key' to PrivateKey (The private key could not be recognized.)

My client.key file begins/ends with -----BEGIN PRIVATE KEY----- / -----END PRIVATE KEY-----.

For creating client.key I used the following command:

openssl req -new -newkey rsa:4096 -nodes -keyout client.key -out client.csr

Am I using a wrong/invalid format? How should I generate the private key for it to work with MQTT CLI?

Hi @nhosko and thanks for your question! :slight_smile:

Currently, unencrypted .pem-files are not supported by the CLI - Sorry for the inconvenience.
We will make up for that in an upcoming version!

For now you could generate your client key by leaving out the -nodes option:
openssl req -x509 -newkey rsa:4096 -keyout client.pem -out client-cert.pem

Hope this helps!

Edit: This was succesfully fixed in the 4.5.1 version of the CLI. See Release v4.5.1 · hivemq/mqtt-cli · GitHub. Therefore, it should now work as intended.


1 Like