PIXILAB Wiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
blocks:server:advanced_server_configuration:mqtt:mosquitto_tls [2023-05-16 08:40] – [Add certificates for Mosquitto secure connections] mattiasblocks:server:advanced_server_configuration:mqtt:mosquitto_tls [2023-05-16 11:58] (current) – [Add certificates for Mosquitto secure connections] mattias
Line 1: Line 1:
  
-=====Add certificates for Mosquitto secure connections=====+=====Add certificates for the Mosquitto MQTT broker secure connections=====
  
 The method below creates a self signed certificate that allow Mosquitto MQTT broker and it's clients to communicate over encrypted connections. The method below creates a self signed certificate that allow Mosquitto MQTT broker and it's clients to communicate over encrypted connections.
  
-===Create a CA (certificate authority)===+===Create a CA (certificate authority) key pair===
  
 <code> <code>
Line 11: Line 11:
 openssl genrsa -des3 -out ca.key 2048 openssl genrsa -des3 -out ca.key 2048
 </code> </code>
 +Add a secret passphrase and store in a secure location. 
  
-===Create a certificate=== +===Create a certificate for the CA key===
 <code> <code>
 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
 </code> </code>
 +
 Answer the questions at the prompt. Answer the questions at the prompt.
 Example: Example:
 <code> <code>
-Country Name (2 letter code) [AU]:[Your country code]+Country Name (2 letter code) [AU]:SE
 State or Province Name (full name) [Some-State]:. State or Province Name (full name) [Some-State]:.
 Locality Name (eg, city) []:. Locality Name (eg, city) []:.
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:[Your company name]+Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pixilab
 Organizational Unit Name (eg, section) []:. Organizational Unit Name (eg, section) []:.
-Common Name (e.g. server FQDN or YOUR name) []:[Your server name]+Common Name (e.g. server FQDN or YOUR name) []:Pixilab CA
 Email Address []:. Email Address []:.
  
 </code> </code>
  
-===Create server key and cert===+===Create server key pair for the server===
 <code> <code>
 openssl genrsa -out server.key 2048 openssl genrsa -out server.key 2048
Line 36: Line 37:
 Adjust the -days parameter  to suit you needs in the next command.(valid 10 years in the example) Adjust the -days parameter  to suit you needs in the next command.(valid 10 years in the example)
  
 +===Create a new  certificate request===
 +<code>
 +openssl req -new -out server.csr -key server.key
 +</code>
 +
 +Answer the questions. 
 +
 +Example:
 +<code>
 +Country Name (2 letter code) [AU]:SE
 +State or Province Name (full name) [Some-State]:.
 +Locality Name (eg, city) []:.
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pixilab
 +Organizational Unit Name (eg, section) []:.
 +Common Name (e.g. server FQDN or YOUR name) []:MQTTServer
 +Email Address []:.
 +</code>
 +The two last questions can be ignored, just hit enter.
 +<code>
 +Please enter the following 'extra' attributes
 +to be sent with your certificate request
 +A challenge password []:
 +An optional company name []:
 +</code>
 +===Verify and sign the request===
 <code> <code>
 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600
Line 41: Line 67:
  
 ===Copy the certificates to Mosquitto=== ===Copy the certificates to Mosquitto===
 +
 +We may have to change user to a super user. I.e
 +<code>su pixi-admin</code>
  
 <code> <code>
-sudo cp ca.crt /etc/mosquitto/certs/ +sudo cp ca.crt server.crt server.key /etc/mosquitto/certs/
-sudo cp server.crt /etc/mosquitto/certs/ +
-sudo cp server.key /etc/mosquitto/certs/+
 </code> </code>
  
Line 69: Line 96:
 password_file /etc/mosquitto/conf.d/pixi-pwd password_file /etc/mosquitto/conf.d/pixi-pwd
 allow_anonymous false allow_anonymous false
-tls_version tlsv1.2+
  
 </code> </code>
 ===Restart mosquitto=== ===Restart mosquitto===
 <code> <code>
-systemctl --user restart mosquitto+systemctl restart mosquitto
 </code> </code>
 +
 +