Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
blocks:server:advanced_server_configuration:mqtt:mosquitto_tls [2023-05-16 08:31] mattias [Add certificates for Mosquitto secure connections] |
blocks:server:advanced_server_configuration:mqtt:mosquitto_tls [2023-05-16 11:58] (current) mattias [Add certificates for Mosquitto secure connections] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | =====Add certificates for Mosquitto secure connections===== | + | =====Add certificates for the Mosquitto |
The method below creates a self signed certificate that allow Mosquitto MQTT broker and it's clients to communicate over encrypted connections. | The method below creates a self signed certificate that allow Mosquitto MQTT broker and it's clients to communicate over encrypted connections. | ||
- | ===Create a CA (certificate authority)=== | + | ===Create a CA (certificate authority) |
< | < | ||
Line 11: | Line 11: | ||
openssl genrsa -des3 -out ca.key 2048 | openssl genrsa -des3 -out ca.key 2048 | ||
</ | </ | ||
+ | Add a secret passphrase and store in a secure location. | ||
- | ===Create a certificate=== | + | ===Create a certificate |
< | < | ||
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt | openssl req -new -x509 -days 3650 -key ca.key -out ca.crt | ||
</ | </ | ||
- | ===Create server key and cert=== | + | Answer the questions at the prompt. |
+ | Example: | ||
+ | < | ||
+ | Country Name (2 letter code) [AU]:SE | ||
+ | State or Province Name (full name) [Some-State]: | ||
+ | Locality Name (eg, city) []:. | ||
+ | Organization Name (eg, company) [Internet Widgits Pty Ltd]: | ||
+ | Organizational Unit Name (eg, section) []:. | ||
+ | Common Name (e.g. server FQDN or YOUR name) []:Pixilab CA | ||
+ | Email Address []:. | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===Create server key pair for the server=== | ||
< | < | ||
openssl genrsa -out server.key 2048 | openssl genrsa -out server.key 2048 | ||
Line 24: | Line 37: | ||
Adjust the -days parameter | Adjust the -days parameter | ||
+ | ===Create a new certificate request=== | ||
+ | < | ||
+ | openssl req -new -out server.csr -key server.key | ||
+ | </ | ||
+ | |||
+ | Answer the questions. | ||
+ | |||
+ | Example: | ||
+ | < | ||
+ | Country Name (2 letter code) [AU]:SE | ||
+ | State or Province Name (full name) [Some-State]: | ||
+ | Locality Name (eg, city) []:. | ||
+ | Organization Name (eg, company) [Internet Widgits Pty Ltd]: | ||
+ | Organizational Unit Name (eg, section) []:. | ||
+ | Common Name (e.g. server FQDN or YOUR name) []: | ||
+ | Email Address []:. | ||
+ | </ | ||
+ | The two last questions can be ignored, just hit enter. | ||
+ | < | ||
+ | Please enter the following ' | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: | ||
+ | An optional company name []: | ||
+ | </ | ||
+ | ===Verify and sign the request=== | ||
< | < | ||
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600 | openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600 | ||
Line 29: | Line 67: | ||
===Copy the certificates to Mosquitto=== | ===Copy the certificates to Mosquitto=== | ||
+ | |||
+ | We may have to change user to a super user. I.e | ||
+ | < | ||
< | < | ||
- | sudo cp ca.crt | + | sudo cp ca.crt server.crt server.key / |
- | sudo cp server.crt | + | |
- | sudo cp server.key / | + | |
</ | </ | ||
Line 57: | Line 96: | ||
password_file / | password_file / | ||
allow_anonymous false | allow_anonymous false | ||
- | tls_version tlsv1.2 | + | |
</ | </ | ||
===Restart mosquitto=== | ===Restart mosquitto=== | ||
< | < | ||
- | systemctl | + | systemctl restart mosquitto |
</ | </ | ||
+ | |||
+ | |||