TLS not working

The issue is I am trying to implement TLS following these two links:

Here below I have described what I did.

(1) keytool -genkey -keyalg RSA -alias hivemq -keystore hivemq.jks -storepass hello123 -validity 360 -keysize 2048

I created a .jks file using this command. Had the key for <hivemq> alias set to hellokey123

Checked the jks file using command: keytool -list -v -keystore hivemq.jks    
and it opened with password "hello123", thus no error in its creation

(2) Exported keystore to a .pem file using: keytool -exportcert -alias hivemq -keystore hivemq.jks -rfc -file server.pem

Checked the .pem file with command: openssl rsa -in server.pem -out private.key
Error given: 
unable to load Private Key
15156:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1k/crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY

(3) Created .pem based client certificate using: openssl req -x509 -newkey rsa:2048 -keyout mqtt-client-key.pem -out mqtt-client-cert.pem -days 360

Checked the .pem files with command: openssl rsa -in [filename].pem -out private.key
The files were exported with the set pem passphrase

(4) Exported client certificate from the PEM file into an CRT file using command: openssl x509 -outform der -in mqtt-client-cert.pem -out mqtt-client-cert.crt

(5) Imported the certificate into a Java keystore using command: keytool -import -file mqtt-client-cert.crt -alias client -keystore hivemq-trust-store.jks -storepass hellotrust123

Checked the jks file using command: keytool -list -v -keystore hivemq-trust-store.jks
And it opened with password "hellotrust123", thus no error in its creation


Configured config.xml as


Now, in nodejs file using mqtt.js,

When I configure to use tcp port 8883, 
var options = {
    port: 8883,
    host: 'localhost'

it works,

But when I use configuration for port 1883
var options = {
    port: 1883,
    host: 'localhost',
    keyPath: '../mqtt-client-key.pem',
    certPath: '../mqtt-client-cert.pem',
    rejectUnauthorized : true,
    // The CA list will be used to determine if server is authorized
    ca: '../hivemq-server-cert.pem'

Nothing happens, no error. I don't understand what is happening. Would be really grateful if someone could help.

Folder strucutre is such:

Hi @banjobyster ,

Check if the listener is getting created. To check:

  1. First, Find the file $HIVEMQ_HOME/conf/logback.xml and change the log level to DEBUG to get more details in the log. Change this line:
    <root level="${HIVEMQ_LOG_LEVEL:-INFO}">

change it to:

    <root level="${HIVEMQ_LOG_LEVEL:-DEBUG}">

Save your changes.
2. Next, Restart your HiveMQ again and check the log $HIVEMQ_HOME/log/hivemq.log. See if the listener tls-tcp-listener is started successfully or whether there is any error.

Kind regards,
Dasha from HiveMQ team

Hello @Daria_H ,

I am getting this when starting HiveMQ.

2022-11-15 20:11:29,078 INFO - Starting TLS TCP listener on address and port 1883

I looked at hivemq.log, and this is that I found

2022-11-15 20:11:26,048 DEBUG - Adding TCP Listener with TLS on bind address and port 1883. Name: tls-tcp-listener-1883.

Rest, everything seems fine.


When the listener is started, you can try to connect an MQTT client to it. We suggest using MQTT-CLI. The Command to connect to a tls-tcp-listener and publish a message:

mqtt publish --topic Test --message Hello \
  --host <yourHost> --port <yourPort> \
  --cafile server.pem --cert client-cert.pem --key client-key.pem \

Where <yourPort> is in your case 1883.

Note that <yourHost> used in the command should be the same as CN in the certificate.
If you want another hostname, for example, if you create the certificate with CN=hivemq, but run your HiveMQ broker on the localhost, then you can update your /etc/hosts file and add to it:	hivemq

Also, note the option --verbose – it provides detailed information about the outcome of the command that is useful when you are troubleshooting. You can get help on mqtt-cli command by running mqtt <command> --help, for example, for the publish command, run

mqtt publish --help

Feel free to use our script that works for generating certificates, Keystore, and trust store.

I hope this helps,
Dasha from HiveMQ Team

Hello @Daria_H ,

I guess I have been using mqtt-cli wrong so far, will use your instructions and update you with the progress. Thank you so much for helping so far.

Greetings @Daria_H ,
I followed your steps.

I am getting the following error after trying to connect via mqtt-cli

Invalid value for option ‘–key’: cannot convert ‘.\certs\client-key.pem’ to PrivateKey (unable to read encrypted data: 1.2.840.113549.1.5.13 not available: Cannot find any provider supporting 1.2.840.113549.3.7)

Can you please guide me how to solve this problem.

PS: Also, encountered another error while using your provided shell script. While generating .pem based client certificate and converting to .crt file, I encountered an error where

-subj “/CN=$clientName”

was getting appended after the bash path. Maybe error was happening due to running it via git bash. So solved that by updating the line to

-subj “//CN=$clientName”

Maybe you can mention that in the code cause it took a lot of time to figure that out as a beginner.