PIXILAB Wiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
blocks:server:advanced_server_configuration:mqtt:mosquitto_tls [2023-05-16 08:18] – [Add certificates for Mosquitto secure connections] mattiasblocks:server:advanced_server_configuration:mqtt:mosquitto_tls [2023-05-16 11:58] (current) – [Add certificates for Mosquitto secure connections] mattias
Line 1: Line 1:
  
-=====Add certificates for Mosquitto secure connections=====+=====Add certificates for the Mosquitto MQTT broker secure connections=====
  
-===Create a CA (certificate authority)===+The method below creates a self signed certificate that allow Mosquitto MQTT broker and it's clients to communicate over encrypted connections. 
 + 
 +===Create a CA (certificate authority) key pair===
  
 <code> <code>
 mkdir ~/certs mkdir ~/certs
 cd ~/certs cd ~/certs
-openssl genrsa -des3 -out ca.key 204+openssl genrsa -des3 -out ca.key 2048
 </code> </code>
 +Add a secret passphrase and store in a secure location. 
  
-===Create a certificate=== +===Create a certificate for the CA key===
 <code> <code>
 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
 </code> </code>
  
-===Create server key and cert===+Answer the questions at the prompt. 
 +Example: 
 +<code> 
 +Country Name (2 letter code) [AU]:SE 
 +State or Province Name (full name) [Some-State]:
 +Locality Name (eg, city) []:. 
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pixilab 
 +Organizational Unit Name (eg, section) []:. 
 +Common Name (e.g. server FQDN or YOUR name) []:Pixilab CA 
 +Email Address []:. 
 + 
 +</code> 
 + 
 +===Create server key pair for the server===
 <code> <code>
 openssl genrsa -out server.key 2048 openssl genrsa -out server.key 2048
-Adjust the -days parameter to suit you needs. +</code> 
 +Adjust the -days parameter  to suit you needs in the next command.(valid 10 years in the example)
  
-openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360+===Create a new  certificate request=== 
 +<code> 
 +openssl req -new -out server.csr -key server.key 
 +</code> 
 + 
 +Answer the questions.  
 + 
 +Example: 
 +<code> 
 +Country Name (2 letter code) [AU]:SE 
 +State or Province Name (full name) [Some-State]:
 +Locality Name (eg, city) []:. 
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pixilab 
 +Organizational Unit Name (eg, section) []:. 
 +Common Name (e.g. server FQDN or YOUR name) []:MQTTServer 
 +Email Address []:. 
 +</code> 
 +The two last questions can be ignored, just hit enter. 
 +<code> 
 +Please enter the following 'extra' attributes 
 +to be sent with your certificate request 
 +A challenge password []: 
 +An optional company name []: 
 +</code> 
 +===Verify and sign the request=== 
 +<code> 
 +openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600
 </code> </code>
  
 ===Copy the certificates to Mosquitto=== ===Copy the certificates to Mosquitto===
 +
 +We may have to change user to a super user. I.e
 +<code>su pixi-admin</code>
  
 <code> <code>
-sudo cp ca.crt /etc/mosquitto/certs/ +sudo cp ca.crt server.crt server.key /etc/mosquitto/certs/
-sudo cp server.crt /etc/mosquitto/certs/ +
-sudo cp server.key /etc/mosquitto/certs/+
 </code> </code>
  
Line 53: Line 96:
 password_file /etc/mosquitto/conf.d/pixi-pwd password_file /etc/mosquitto/conf.d/pixi-pwd
 allow_anonymous false allow_anonymous false
-tls_version tlsv1.2+
  
 </code> </code>
 ===Restart mosquitto=== ===Restart mosquitto===
 <code> <code>
-sudo systemctl restart mosquitto+systemctl restart mosquitto
 </code> </code>
 +
 +