is key and cert required with CA for SSL MQTT

Question

I started mosquitto broker with SSL using CA,cert and key when I am trying to connect to broker the library in elixir tortoise is asking me to put the key and cert with certifi. When I looked into certifi it is showing the list of CA can we use this self signed?

Tortoise.Supervisor.start_child(
    client_id: "smart-spoon",
    handler: {Tortoise.Handler.Logger, []},
    server: {
      Tortoise.Transport.SSL,
      host: host, port: port,
      cacertfile: :certifi.cacertfile(),
      key: key, cert: cert
    },
    subscriptions: [{"foo/bar", 0}])

Should I put the key and cert and client side?? I think that is very bad as key is secret please help me understand how it works

Answer 1

For "normal" SSL connections where the client wants to prove the broker is who they claim to be the client should only require a list of CA certificates to check the certificate presented by the broker. For this case you should normally leave the key and cert fields empty

If you are doing mutually authenticated SSL where the client is also proving to the broker who they are then you need to supply the client with it's own certificate/key (not the certificate/key from the broker but probably[but not required] signed by the same CA)