OwnTracks is a free and open source application for iOS and Android that allow you to track your location and send it via MQTT to your home automation system. But the location data needs to be send secured. How to do this, is written in this post.

Prepare the generate-CA script

Important is that the following OwnTracks script is running on a public server, with Mosquitto server already installed.

$ cd /etc/mosquitto/certs
$ wget https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh
$ chmod +x generate-CA.sh

Make the lifetime of the certificates longer on Android (till year 2032). On iOS this is not possible and limited to 825 days. Change server_days=825 into server_days=$days

$ vi generate-CA.sh

Create the server keys

The following command is generating the server key set

$ ./generate-CA.sh <full domainname>
for example
$ ./generate-CA.sh vps.firm-ware.cz

Create the client keys

The following command is generating the client key set. Change arjan into your own name.

$ ./generate-CA.sh client arjan

Mosquitto server config

Add the key files to the Mosquitto configuration. Change the example vps.firm-ware.cz into your own domainname.

$ vi /etc/mosquitto/conf.d/default.conf
#Secure MQTT messages
listener 12383
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/vps.firm-ware.cz.key
certfile /etc/mosquitto/certs/vps.firm-ware.cz.crt

#Bridge to mosquitto at home
connection brug
topic mobiel/# both
topic owntracks/# both

Test the Mosquitto server:

$ systemctl stop mosquitto.service
$ tail -f /var/log/mosquitto/mosquitto.log &
$ usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf

Testing the Mosquitto client

Copy the client keys and the ca.crt file to the local desktop/laptop. The remote domain needs to be the same as used in the

$ mosquitto_sub -d -h vps.firm-ware.cz -p 12383  -t owntracks/# --cafile ca.crt --cert arjan.crt --key arjan.key

Enable OwnTracks TLS

Docs: https://owntracks.org/booklet/features/tlscert/#pkcs12

Generate a PKCS#12 file to send it to the mobile phone

$ openssl pkcs12 -export -in arjan.crt -inkey arjan.key -name "Arjan's key" -out arjan.p12
Enter Export Password:
Verifying - Enter Export Password:

Copy the ca.crt and the arjan.p12 file to the mobile phone by email. Save these files on the phone in a new OwnTracks directory in the root of the file system.

On Android

In OwnTracks: * go to menu Preferences->Connection->Security * Set TLS on * CA Certificate: Select the downloaded ca.crt file from the OwnTracks directory * Client certificate: Select the arjan.p12 file from the OwnTracks directory * Client certificate password: Enter the password from the P12 file generation * Klik on ACCEPT

Check Status if the connection is successful.


For iOS you can find the instructions here: iOS OwnTracks