diff --git a/code/components/jomjol_flowcontroll/ClassFlowMQTT.cpp b/code/components/jomjol_flowcontroll/ClassFlowMQTT.cpp
index 287f2da5c..6d470c337 100644
--- a/code/components/jomjol_flowcontroll/ClassFlowMQTT.cpp
+++ b/code/components/jomjol_flowcontroll/ClassFlowMQTT.cpp
@@ -40,6 +40,7 @@ void ClassFlowMQTT::SetInitialParameter(void)
     caCertFilename = "";
     clientCertFilename = "";
     clientKeyFilename = "";
+    validateServerCert = true;
     clientname = wlan_config.hostname;
 
     OldValue = "";
@@ -109,15 +110,19 @@ bool ClassFlowMQTT::ReadParameter(FILE* pfile, string& aktparamgraph)
         std::string _param = GetParameterName(splitted[0]);
         if ((toUpper(_param) == "CACERT") && (splitted.size() > 1))
         {
-            this->caCertFilename = splitted[1];
+            this->caCertFilename = "/sdcard" + splitted[1];
+        }
+        if ((toUpper(_param) == "VALIDATESERVERCERT") && (splitted.size() > 1))
+        {
+            validateServerCert = alphanumericToBoolean(splitted[1]);
         }  
         if ((toUpper(_param) == "CLIENTCERT") && (splitted.size() > 1))
         {
-            this->clientCertFilename = splitted[1];
+            this->clientCertFilename = "/sdcard" + splitted[1];
         }  
         if ((toUpper(_param) == "CLIENTKEY") && (splitted.size() > 1))
         {
-            this->clientKeyFilename = splitted[1];
+            this->clientKeyFilename = "/sdcard" + splitted[1];
         }  
         if ((toUpper(_param) == "USER") && (splitted.size() > 1))
         {
@@ -133,10 +138,8 @@ bool ClassFlowMQTT::ReadParameter(FILE* pfile, string& aktparamgraph)
         }
         if ((toUpper(_param) == "RETAINMESSAGES") && (splitted.size() > 1))
         {
-            if (toUpper(splitted[1]) == "TRUE") {
-                SetRetainFlag = true;  
-                setMqtt_Server_Retain(SetRetainFlag);
-            }
+            SetRetainFlag = alphanumericToBoolean(splitted[1]);
+            setMqtt_Server_Retain(SetRetainFlag);
         }
         if ((toUpper(_param) == "HOMEASSISTANTDISCOVERY") && (splitted.size() > 1))
         {
@@ -225,7 +228,7 @@ bool ClassFlowMQTT::Start(float AutoInterval)
     mqttServer_setParameter(flowpostprocessing->GetNumbers(), keepAlive, roundInterval);
 
     bool MQTTConfigCheck = MQTT_Configure(uri, clientname, user, password, maintopic, domoticzintopic, LWT_TOPIC, LWT_CONNECTED,
-                                     LWT_DISCONNECTED, caCertFilename, clientCertFilename, clientKeyFilename,
+                                     LWT_DISCONNECTED, caCertFilename, validateServerCert, clientCertFilename, clientKeyFilename,
                                      keepAlive, SetRetainFlag, (void *)&GotConnected);
 
     if (!MQTTConfigCheck) {
@@ -367,4 +370,4 @@ void ClassFlowMQTT::handleIdx(string _decsep, string _value)
     }
 }
 
-#endif //ENABLE_MQTT
\ No newline at end of file
+#endif //ENABLE_MQTT
diff --git a/code/components/jomjol_flowcontroll/ClassFlowMQTT.h b/code/components/jomjol_flowcontroll/ClassFlowMQTT.h
index fcea5b634..272d9a211 100644
--- a/code/components/jomjol_flowcontroll/ClassFlowMQTT.h
+++ b/code/components/jomjol_flowcontroll/ClassFlowMQTT.h
@@ -19,7 +19,8 @@ class ClassFlowMQTT :
     std::string OldValue;
 	ClassFlowPostProcessing* flowpostprocessing;  
     std::string user, password; 
-    std::string caCertFilename, clientCertFilename, clientKeyFilename; 
+    std::string caCertFilename, clientCertFilename, clientKeyFilename;
+    bool validateServerCert;
     bool SetRetainFlag;
     int keepAlive; // Seconds
     float roundInterval; // Minutes
diff --git a/code/components/jomjol_mqtt/interface_mqtt.cpp b/code/components/jomjol_mqtt/interface_mqtt.cpp
index e970ac504..7bcbf6a65 100644
--- a/code/components/jomjol_mqtt/interface_mqtt.cpp
+++ b/code/components/jomjol_mqtt/interface_mqtt.cpp
@@ -16,7 +16,6 @@
 #include "esp_timer.h"
 #endif
 
-
 static const char *TAG = "MQTT IF";
 
 std::map<std::string, std::function<void()>>* connectFunktionMap = NULL;  
@@ -36,11 +35,11 @@ bool mqtt_connected = false;
 esp_mqtt_client_handle_t client = NULL;
 std::string uri, client_id, lwt_topic, lwt_connected, lwt_disconnected, user, password, maintopic, domoticz_in_topic;
 std::string caCert, clientCert, clientKey;
+bool validateServerCert = true;
 int keepalive;
 bool SetRetainFlag;
 void (*callbackOnConnected)(std::string, bool) = NULL;
 
-
 bool MQTTPublish(std::string _key, std::string _content, int qos, bool retained_flag) 
 {
     if (!mqtt_enabled) {                            // MQTT sevice not started / configured (MQTT_Init not called before)      
@@ -95,7 +94,6 @@ bool MQTTPublish(std::string _key, std::string _content, int qos, bool retained_
     }
 }
 
-
 static esp_err_t mqtt_event_handler_cb(esp_mqtt_event_handle_t event) {
     std::string topic = "";
     switch (event->event_id) {
@@ -197,16 +195,14 @@ static esp_err_t mqtt_event_handler_cb(esp_mqtt_event_handle_t event) {
     return ESP_OK;
 }
 
-
 static void mqtt_event_handler(void *handler_args, esp_event_base_t base, int32_t event_id, void *event_data) {
     ESP_LOGD(TAG, "Event dispatched from event loop base=%s, event_id=%d", base, (int)event_id);
     mqtt_event_handler_cb((esp_mqtt_event_handle_t) event_data);
 }
 
-
 bool MQTT_Configure(std::string _mqttURI, std::string _clientid, std::string _user, std::string _password,
         std::string _maintopic, std::string _domoticz_in_topic, std::string _lwt, std::string _lwt_connected, std::string _lwt_disconnected,
-        std::string _cacertfilename, std::string _clientcertfilename, std::string _clientkeyfilename, 
+        std::string _cacertfilename, bool _validateServerCert, std::string _clientcertfilename, std::string _clientkeyfilename, 
                     int _keepalive, bool _SetRetainFlag, void *_callbackOnConnected) {
     if ((_mqttURI.length() == 0) || (_maintopic.length() == 0) || (_clientid.length() == 0)) 
     {
@@ -225,25 +221,45 @@ bool MQTT_Configure(std::string _mqttURI, std::string _clientid, std::string _us
     domoticz_in_topic = _domoticz_in_topic;
     callbackOnConnected = ( void (*)(std::string, bool) )(_callbackOnConnected);
 
-    if (_clientcertfilename.length() && _clientkeyfilename.length()){
+    if (_clientcertfilename.length() && _clientkeyfilename.length()) {
         std::ifstream cert_ifs(_clientcertfilename);
-        std::string cert_content((std::istreambuf_iterator<char>(cert_ifs)), (std::istreambuf_iterator<char>()));
-        clientCert = cert_content;
-        LogFile.WriteToFile(ESP_LOG_INFO, TAG, "using clientCert: " + _clientcertfilename);
+        if (cert_ifs.is_open()) {
+            std::string cert_content((std::istreambuf_iterator<char>(cert_ifs)), (std::istreambuf_iterator<char>()));
+            clientCert = cert_content;
+            cert_ifs.close();
+            LogFile.WriteToFile(ESP_LOG_INFO, TAG, "using clientCert: " + _clientcertfilename);
+        }
+        else {
+            LogFile.WriteToFile(ESP_LOG_INFO, TAG, "could not open clientCert: " + _clientcertfilename);
+        }
 
         std::ifstream key_ifs(_clientkeyfilename);
-        std::string key_content((std::istreambuf_iterator<char>(key_ifs)), (std::istreambuf_iterator<char>()));
-        clientKey = key_content;
-        LogFile.WriteToFile(ESP_LOG_INFO, TAG, "using clientKey: " + _clientkeyfilename);
+        if (key_ifs.is_open()) {
+            std::string key_content((std::istreambuf_iterator<char>(key_ifs)), (std::istreambuf_iterator<char>()));
+            clientKey = key_content;
+            key_ifs.close();
+            LogFile.WriteToFile(ESP_LOG_INFO, TAG, "using clientKey: " + _clientkeyfilename);
+        }
+        else {
+            LogFile.WriteToFile(ESP_LOG_INFO, TAG, "could not open clientKey: " + _clientkeyfilename);
+        }
     }
 
-    if (_cacertfilename.length() ){
-        std::ifstream ifs(_cacertfilename);
-        std::string content((std::istreambuf_iterator<char>(ifs)), (std::istreambuf_iterator<char>()));
-        caCert = content;
-        LogFile.WriteToFile(ESP_LOG_INFO, TAG, "using caCert: " + _cacertfilename);
+    if (_cacertfilename.length()) {
+        std::ifstream ca_ifs(_cacertfilename);
+        if (ca_ifs.is_open()) {
+            std::string content((std::istreambuf_iterator<char>(ca_ifs)), (std::istreambuf_iterator<char>()));
+            caCert = content;
+            ca_ifs.close();
+            LogFile.WriteToFile(ESP_LOG_INFO, TAG, "using caCert: " + _cacertfilename);
+        }
+        else {
+            LogFile.WriteToFile(ESP_LOG_INFO, TAG, "could not open caCert: " + _cacertfilename);
+        }
     }
 
+    validateServerCert = _validateServerCert;
+
     if (_user.length() && _password.length()){
         user = _user;
         password = _password;
@@ -261,7 +277,6 @@ bool MQTT_Configure(std::string _mqttURI, std::string _clientid, std::string _us
     return true;
 }
 
-
 int MQTT_Init() { 
     if (mqtt_initialized) {
         return 0;
@@ -295,18 +310,21 @@ int MQTT_Init() {
     mqtt_cfg.session.last_will.msg = lwt_disconnected.c_str();
     mqtt_cfg.session.last_will.msg_len = (int)(lwt_disconnected.length());
     mqtt_cfg.session.keepalive = keepalive;
-    mqtt_cfg.buffer.size = 1536;                         // size of MQTT send/receive buffer (Default: 1024)
+    mqtt_cfg.buffer.size = 2048;                         // size of MQTT send/receive buffer
 
-    if (caCert.length()){
+    if (caCert.length()) {
         mqtt_cfg.broker.verification.certificate = caCert.c_str();
         mqtt_cfg.broker.verification.certificate_len = caCert.length() + 1;
-        mqtt_cfg.broker.verification.skip_cert_common_name_check = true;
+
+        // Skip any validation of server certificate CN field, this reduces the
+        // security of TLS and makes the *MQTT* client susceptible to MITM attacks
+        mqtt_cfg.broker.verification.skip_cert_common_name_check = !validateServerCert;
     }
 
-    if (clientCert.length() && clientKey.length()){
+    if (clientCert.length() && clientKey.length()) {
         mqtt_cfg.credentials.authentication.certificate = clientCert.c_str();
         mqtt_cfg.credentials.authentication.certificate_len = clientCert.length() + 1;
-        
+
         mqtt_cfg.credentials.authentication.key = clientKey.c_str();
         mqtt_cfg.credentials.authentication.key_len = clientKey.length() + 1;
     }
@@ -356,7 +374,6 @@ int MQTT_Init() {
 
 }
 
-
 void MQTTdestroy_client(bool _disable = false) {
     if (client) {
         if (mqtt_connected) {
@@ -374,17 +391,14 @@ void MQTTdestroy_client(bool _disable = false) {
         mqtt_configOK = false;
 }
 
-
 bool getMQTTisEnabled() {
     return mqtt_enabled;
 }
 
-
 bool getMQTTisConnected() {
     return mqtt_connected;
 }
 
-
 bool mqtt_handler_flow_start(std::string _topic, char* _data, int _data_len) 
 {
     ESP_LOGD(TAG, "Handler called: topic %s, data %.*s", _topic.c_str(), _data_len, _data);
@@ -393,7 +407,6 @@ bool mqtt_handler_flow_start(std::string _topic, char* _data, int _data_len)
     return ESP_OK;
 }
 
-
 bool mqtt_handler_set_prevalue(std::string _topic, char* _data, int _data_len) 
 {
     //ESP_LOGD(TAG, "Handler called: topic %s, data %.*s", _topic.c_str(), _data_len, _data);
@@ -429,7 +442,6 @@ bool mqtt_handler_set_prevalue(std::string _topic, char* _data, int _data_len)
     return ESP_FAIL;
 }
 
-
 void MQTTconnected(){
     if (mqtt_connected) {
         LogFile.WriteToFile(ESP_LOG_INFO, TAG, "Connected to broker");
@@ -464,7 +476,6 @@ void MQTTconnected(){
     }
 }
 
-
 void MQTTregisterConnectFunction(std::string name, std::function<void()> func){
     ESP_LOGD(TAG, "MQTTregisteronnectFunction %s\r\n", name.c_str());
     if (connectFunktionMap == NULL) {
@@ -483,7 +494,6 @@ void MQTTregisterConnectFunction(std::string name, std::function<void()> func){
     }
 }
 
-
 void MQTTunregisterConnectFunction(std::string name){
     ESP_LOGD(TAG, "unregisterConnnectFunction %s\r\n", name.c_str());
     if ((connectFunktionMap != NULL) && (connectFunktionMap->find(name) != connectFunktionMap->end())) {
@@ -491,7 +501,6 @@ void MQTTunregisterConnectFunction(std::string name){
     }
 }
 
-
 void MQTTregisterSubscribeFunction(std::string topic, std::function<bool(std::string, char*, int)> func){
     ESP_LOGD(TAG, "registerSubscribeFunction %s", topic.c_str());
     if (subscribeFunktionMap == NULL) {
@@ -506,7 +515,6 @@ void MQTTregisterSubscribeFunction(std::string topic, std::function<bool(std::st
     (*subscribeFunktionMap)[topic] = func;
 }
 
-
 void MQTTdestroySubscribeFunction(){
     if (subscribeFunktionMap != NULL) {
         if (mqtt_connected) {
diff --git a/code/components/jomjol_mqtt/interface_mqtt.h b/code/components/jomjol_mqtt/interface_mqtt.h
index 79544736a..29b52bb00 100644
--- a/code/components/jomjol_mqtt/interface_mqtt.h
+++ b/code/components/jomjol_mqtt/interface_mqtt.h
@@ -11,7 +11,7 @@
 
 bool MQTT_Configure(std::string _mqttURI, std::string _clientid, std::string _user, std::string _password,
                     std::string _maintopic, std::string _domoticz_in_topic, std::string _lwt, std::string _lwt_connected, std::string _lwt_disconnected,
-                    std::string _cacertfilename, std::string _clientcertfilename, std::string _clientkeyfilename, 
+                    std::string _cacertfilename, bool _validateServerCert, std::string _clientcertfilename, std::string _clientkeyfilename, 
                     int _keepalive, bool SetRetainFlag, void *callbackOnConnected);
 int MQTT_Init();
 void MQTTdestroy_client(bool _disable);
diff --git a/code/main/main.cpp b/code/main/main.cpp
index 5d0ba9b69..3ecdd4fc4 100644
--- a/code/main/main.cpp
+++ b/code/main/main.cpp
@@ -358,6 +358,7 @@ extern "C" void app_main(void)
     MakeDir("/sdcard/firmware");         // mandatory for OTA firmware update
     MakeDir("/sdcard/img_tmp");          // mandatory for setting up alignment marks
     MakeDir("/sdcard/demo");             // mandatory for demo mode
+    MakeDir("/sdcard/config/certs");     // mandatory for mqtt certificates
 
     // Check for updates
     // ********************************************
diff --git a/code/platformio.ini b/code/platformio.ini
index 51e198625..d622f420a 100644
--- a/code/platformio.ini
+++ b/code/platformio.ini
@@ -57,8 +57,15 @@ build_flags =
     ${common:esp32-idf.build_flags}
 	${flags:runtime.build_flags}
     ; ### Sofware options : (can be set in defines.h)
-	-D BOARD_ESP32CAM_AITHINKER
-	-D ENABLE_MQTT 
+    -D BOARD_ESP32CAM_AITHINKER
+    -D ENABLE_MQTT
+    ;-D MQTT_PROTOCOL_311
+    -D MQTT_ENABLE_SSL
+    ;-D MQTT_ENABLE_WS
+    ;-D MQTT_ENABLE_WSS
+    -D MQTT_SUPPORTED_FEATURE_SKIP_CRT_CMN_NAME_CHECK
+    ;-D MQTT_SUPPORTED_FEATURE_CRT_CMN_NAME
+    ;-D MQTT_SUPPORTED_FEATURE_CLIENT_KEY_PASSWORD
     -D ENABLE_INFLUXDB
     -D ENABLE_WEBHOOK
     -D ENABLE_SOFTAP 
diff --git a/code/sdkconfig.defaults b/code/sdkconfig.defaults
index 0fe530363..f87fd4073 100644
--- a/code/sdkconfig.defaults
+++ b/code/sdkconfig.defaults
@@ -127,6 +127,12 @@ CONFIG_MQTT_USE_CUSTOM_CONFIG=y
 #CONFIG_MQTT_OUTBOX_EXPIRED_TIMEOUT_MS=5000
 #CONFIG_MQTT_CUSTOM_OUTBOX=y # -> Use custom outbox in components/jomjol_mqtt/mqtt_outbox.h/cpp. If USE_PSRAM is enabled in there, it will save 10 kBytes of internal RAM. How ever it also leads to memory fragmentation, see https://github.com/jomjol/AI-on-the-edge-device/issues/2200
 
+#
+# mbedTLS
+#
+CONFIG_MBEDTLS_HAVE_TIME=y
+CONFIG_MBEDTLS_HAVE_TIME_DATE=y
+
 CONFIG_FREERTOS_TASK_FUNCTION_WRAPPER=n
 
 CONFIG_CAMERA_CORE0=n
diff --git a/param-docs/expert-params.txt b/param-docs/expert-params.txt
index 056b71288..5f47bca90 100644
--- a/param-docs/expert-params.txt
+++ b/param-docs/expert-params.txt
@@ -43,5 +43,6 @@ Hostname
 RSSIThreshold
 TimeServer
 CACert
+ValidateServerCert
 ClientCert
 ClientKey
diff --git a/param-docs/parameter-pages/MQTT/CACert.md b/param-docs/parameter-pages/MQTT/CACert.md
index 9f2fa8c4e..da9f40673 100644
--- a/param-docs/parameter-pages/MQTT/CACert.md
+++ b/param-docs/parameter-pages/MQTT/CACert.md
@@ -1,21 +1,24 @@
 # Parameter `CACert`
 Default Value: `""`
 
-Example: `/config/certs/RootCA.pem`.
+Example: `/config/certs/RootCA.crt`.
 
 !!! Warning
     This is an **Expert Parameter**! Only change it if you understand what it does!
 
 Path to the CA certificate file.
 
-This is part of the configuration to enable TLS for MQTT.
+This is part of the configuration to enable TLS 1.2 for MQTT.<br>
+
 The CA Certificate is used by the client to validate the broker is who it claims to be.
 It allows the client to authenticate the server, which is the first part of the MTLS handshake.
 
-Usually there is a common RootCA certificate for the MQTT broker
+Usually there is a common RootCA certificate for the MQTT broker.
+More information is available [here](https://jomjol.github.io/AI-on-the-edge-device-docs/MQTT-API/#mqtt-tls).
+
+For more information on how to create your own certificate, see: [mosquitto.org](https://mosquitto.org/man/mosquitto-tls-7.html) or [emqx.com](https://www.emqx.com/en/blog/emqx-server-ssl-tls-secure-connection-configuration-guide).
 
 !!! Note
     This also means that you might have to change the protocol and port in [uri](https://jomjol.github.io/AI-on-the-edge-device-docs/Parameters/#parameter-uri) to `mqtts://example.com:8883`!
 
-!!! Note
-    Only TLS 1.2 is supported!
+    Only Certificates up to 4096 Bit are supported!
diff --git a/param-docs/parameter-pages/MQTT/ClientCert.md b/param-docs/parameter-pages/MQTT/ClientCert.md
index 83ca26f94..1cccd48ab 100644
--- a/param-docs/parameter-pages/MQTT/ClientCert.md
+++ b/param-docs/parameter-pages/MQTT/ClientCert.md
@@ -1,22 +1,23 @@
 # Parameter `ClientCert`
 Default Value: `""`
 
-Example: `/config/certs/client.pem.crt`.
+Example: `/config/certs/client.crt`.
 
 !!! Warning
     This is an **Expert Parameter**! Only change it if you understand what it does!
 
 Path to the Client Certificate file.
 
-This is part of the configuration to enable TLS for MQTT.
+This is part of the configuration to enable TLS 1.2 for MQTT.<br>
+
 The Client Certificate is used by the client to prove its identity to the server, in conjunction with the Client Key. 
 It is the second part of the MTLS handshake.
 
-Usually there is a one pair of Client Certificate/Key for each client that connects to the MQTT broker
+Usually there is a one pair of Client Certificate/Key for each client that connects to the MQTT broker.
+More information is available [here](https://jomjol.github.io/AI-on-the-edge-device-docs/MQTT-API/#mqtt-tls).
 
-!!! Note
-    If set, `ClientKey` must be set too
-    This also means that you might have to change the protocol and port in [uri](https://jomjol.github.io/AI-on-the-edge-device-docs/Parameters/#parameter-uri) to `mqtts://example.com:8883`!
+For more information on how to create your own certificate, see: [mosquitto.org](https://mosquitto.org/man/mosquitto-tls-7.html) or [emqx.com](https://www.emqx.com/en/blog/emqx-server-ssl-tls-secure-connection-configuration-guide).
 
 !!! Note
-    Only TLS 1.2 is supported!
+    If set, `ClientKey` must be set too.
+    This also means that you might have to change the protocol and port in [uri](https://jomjol.github.io/AI-on-the-edge-device-docs/Parameters/#parameter-uri) to `mqtts://example.com:8883`!
diff --git a/param-docs/parameter-pages/MQTT/ClientKey.md b/param-docs/parameter-pages/MQTT/ClientKey.md
index b976ba199..3479476b7 100644
--- a/param-docs/parameter-pages/MQTT/ClientKey.md
+++ b/param-docs/parameter-pages/MQTT/ClientKey.md
@@ -1,22 +1,22 @@
 # Parameter `ClientKey`
 Default Value: `""`
 
-Example: `/config/certs/client.pem.key`.
+Example: `/config/certs/client.key`.
 
 !!! Warning
     This is an **Expert Parameter**! Only change it if you understand what it does!
 
 Path to the Client Key file.
 
-This is part of the configuration to enable TLS for MQTT.
+This is part of the configuration to enable TLS 1.2 for MQTT.<br>
+
 The Client Key is used by the client to prove its identity to the server, in conjunction with the Client Certificate.
 It is the second part of the MTLS handshake.
 
 Usually there is a one pair of Client Certificate/Key for each client that connects to the MQTT broker
 
-!!! Note
-    If set, `ClientCert` must be set too
-    This also means that you might have to change the protocol and port in [uri](https://jomjol.github.io/AI-on-the-edge-device-docs/Parameters/#parameter-uri) to `mqtts://example.com:8883`!
+For more information on how to create your own certificate, see: [mosquitto.org](https://mosquitto.org/man/mosquitto-tls-7.html) or [emqx.com](https://www.emqx.com/en/blog/emqx-server-ssl-tls-secure-connection-configuration-guide).
 
 !!! Note
-    Only TLS 1.2 is supported!
+    If set, `ClientCert` must be set too.
+    This also means that you might have to change the protocol and port in [uri](https://jomjol.github.io/AI-on-the-edge-device-docs/Parameters/#parameter-uri) to `mqtts://example.com:8883`!
diff --git a/param-docs/parameter-pages/MQTT/ValidateServerCert.md b/param-docs/parameter-pages/MQTT/ValidateServerCert.md
new file mode 100644
index 000000000..0c71f4111
--- /dev/null
+++ b/param-docs/parameter-pages/MQTT/ValidateServerCert.md
@@ -0,0 +1,20 @@
+# Parameter `ValidateServerCert`
+
+Default Value: `true`
+
+!!! Warning
+    This is an **Expert Parameter**! Only change it if you understand what it does!
+
+Enable or disable the validation of the server certificate CN field.<br>
+
+If `enabled (true)`, the certificate sent by the server is validated using the configured [Root CA Certificate file](https://jomjol.github.io/AI-on-the-edge-device-docs/Parameters/#parameter-cacert).<br>
+The server name in [uri](https://jomjol.github.io/AI-on-the-edge-device-docs/Parameters/#parameter-uri) is compared with the CN field of the server certificate.<br>
+A connection is only established if they agree. It ensures the origin of the server.
+
+If `disabled (false)`, the ESP32 skipped any validation of server certificate CN field.<br>
+This reduces the security of TLS and makes the *MQTT* client susceptible to MITM attacks.
+
+!!! Note
+    This also means that you might have to change the protocol and port in  to `mqtts://example.com:8883`!
+	
+    If you use public brokers, is recommended to set this parameter to "enabled (true)".
diff --git a/sd-card/config/config.ini b/sd-card/config/config.ini
index 851c96bf3..46e393847 100644
--- a/sd-card/config/config.ini
+++ b/sd-card/config/config.ini
@@ -87,6 +87,7 @@ HomeassistantDiscovery = false
 ;CACert = /config/certs/RootCA.pem
 ;ClientCert = /config/certs/client.pem.crt
 ;ClientKey = /config/certs/client.pem.key
+;ValidateServerCert = true
 ;DomoticzTopicIn = domoticz/in
 ;main.DomoticzIDX = 0
 
diff --git a/sd-card/html/edit_config_template.html b/sd-card/html/edit_config_template.html
index 535717d6e..92a85f1ec 100644
--- a/sd-card/html/edit_config_template.html
+++ b/sd-card/html/edit_config_template.html
@@ -1119,6 +1119,20 @@ <h4>
 			</td>
 			<td>$TOOLTIP_MQTT_ClientKey</td>
 		</tr>
+		
+		<tr class="MQTTItem expert" unused_id="exMqtt">
+			<td class="indent1">
+				<input type="checkbox" id="MQTT_ValidateServerCert_enabled" value="1"  onclick = 'InvertEnableItem("MQTT", "ValidateServerCert")' unchecked >
+				<label for=MQTT_ValidateServerCert_enabled><class id="MQTT_ValidateServerCert_text" style="color:black;">Validate ServerCert</class></label>
+			</td>
+			<td>
+				<select id="MQTT_ValidateServerCert_value1">
+					<option value="true" selected>enable (true)</option>
+					<option value="false">disable (false)</option>
+				</select>
+			</td>
+			<td>$TOOLTIP_MQTT_ValidateServerCert</td>
+		</tr>
 
 		<tr class="MQTTItem">
 			<td class="indent1">
@@ -2353,6 +2367,7 @@ <h4><input type="checkbox" id="Category_GPIO_enabled" value="1"  onclick='Update
     WriteParameter(param, category, "MQTT", "CACert", true);
     WriteParameter(param, category, "MQTT", "ClientCert", true);
     WriteParameter(param, category, "MQTT", "ClientKey", true);
+    WriteParameter(param, category, "MQTT", "ValidateServerCert", true);
     WriteParameter(param, category, "MQTT", "DomoticzTopicIn", true);
     
     WriteParameter(param, category, "InfluxDB", "Uri", true);	
@@ -2521,6 +2536,7 @@ <h4><input type="checkbox" id="Category_GPIO_enabled" value="1"  onclick='Update
     ReadParameter(param, "MQTT", "CACert", true);
     ReadParameter(param, "MQTT", "ClientCert", true);
     ReadParameter(param, "MQTT", "ClientKey", true);
+    ReadParameter(param, "MQTT", "ValidateServerCert", true);
     ReadParameter(param, "MQTT", "DomoticzTopicIn", true);
 
     ReadParameter(param, "InfluxDB", "Uri", true);
diff --git a/sd-card/html/readconfigparam.js b/sd-card/html/readconfigparam.js
index acc8eda88..19ad019ad 100644
--- a/sd-card/html/readconfigparam.js
+++ b/sd-card/html/readconfigparam.js
@@ -205,6 +205,7 @@ function ParseConfig() {
     ParamAddValue(param, catname, "CACert");
     ParamAddValue(param, catname, "ClientCert");
     ParamAddValue(param, catname, "ClientKey");
+    ParamAddValue(param, catname, "ValidateServerCert");
 
     var catname = "InfluxDB";
     category[catname] = new Object();