Hello together,
I am new to HomeAssistant and try to set up MQTT & TLS with tasmota devices and don’t think I understood everything right from the documentation and other topics in the forum. I was looking for any documentation and read a lot but I not really found what i was looking for and even got more confused where to start.
My goal is to have (local) encrypted communication of all of my mqtt (actually all tasmota) devices with the HomeAssistant MQTT Broker (addon). For the Certificates i am running a Root and Intermediate CA myself. (Later I want to create and trigger all my automations through NodeRed.)
Since i started from the scratch, right now, when it comes to TLS, I already have a secure connection to the HomeAssistant server (WebGUI) with a private Key and server cert of 3072 bits. (do I need to lower it to 2048? Tasmota supports up to 4096), mqtt broker addon is fresh installed and has default settings, also configuration.yaml is default.
My first question in that case:
If I use the MQTT addon I dont have to care about securing the Broker connection to HA Server, cause it’s the same, right?
So I only need to deal with mTLS, so with a Client Certificate (for connecting the Tasmota devices to the mqtt broker) - or am I wrong with this statement?
If it is like that, what do I need to do exactly to archive that?
For the Tasmota side, yes i need to compile my own firmware file including the fingerprint. (also need to read some documentation about that)
But for Home Assistant and the MQTT addon? I get a bit confused if I shall use the configuration.yaml or the addon core mosquitto config, where i also can put cert/key/ca-files and enable encryption (check on require certificates).
Also what confuses me is the the mqtt addon hostname: core-mosquitto - it seems like i can’t change that. When is this neccessary in my case?
If you need further information to any config, let me know 
Greetings
JuSchi