PIXILAB Wiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
blocks:server:advanced_server_configuration:mqtt:mosquitto_tls [2023-05-16 09:11]
mattias [Add certificates for Mosquitto secure connections] 		blocks:server:advanced_server_configuration:mqtt:mosquitto_tls [2023-05-16 11:58] (current)
mattias [Add certificates for Mosquitto secure connections]
Line 1: Line 1:
  
-=====Add certificates for Mosquitto secure connections=====+=====Add certificates for the Mosquitto MQTT broker secure connections=====
  
 The method below creates a self signed certificate that allow Mosquitto MQTT broker and it's clients to communicate over encrypted connections. The method below creates a self signed certificate that allow Mosquitto MQTT broker and it's clients to communicate over encrypted connections.
Line 11: Line 11:
 openssl genrsa -des3 -out ca.key 2048 openssl genrsa -des3 -out ca.key 2048
 </code> </code>
 +Add a secret passphrase and store in a secure location. 
  
-===Create a certificate for the CA=== +===Create a certificate for the CA key===
 <code> <code>
 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
 </code> </code>
 +
 Answer the questions at the prompt. Answer the questions at the prompt.
 Example: Example:
 <code> <code>
-Country Name (2 letter code) [AU]:[Your country code]+Country Name (2 letter code) [AU]:SE
 State or Province Name (full name) [Some-State]:. State or Province Name (full name) [Some-State]:.
 Locality Name (eg, city) []:. Locality Name (eg, city) []:.
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:[Your company name]+Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pixilab
 Organizational Unit Name (eg, section) []:. Organizational Unit Name (eg, section) []:.
-Common Name (e.g. server FQDN or YOUR name) []:[Your server name]+Common Name (e.g. server FQDN or YOUR name) []:Pixilab CA
 Email Address []:. Email Address []:.
  
Line 36: Line 37:
 Adjust the -days parameter  to suit you needs in the next command.(valid 10 years in the example) Adjust the -days parameter  to suit you needs in the next command.(valid 10 years in the example)
  
-===Create a certificate request===+===Create a new  certificate request=== 
 +<code> 
 +openssl req -new -out server.csr -key server.key 
 +</code> 
 + 
 +Answer the questions.  
 + 
 +Example: 
 +<code> 
 +Country Name (2 letter code) [AU]:SE 
 +State or Province Name (full name) [Some-State]:
 +Locality Name (eg, city) []:. 
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pixilab 
 +Organizational Unit Name (eg, section) []:. 
 +Common Name (e.g. server FQDN or YOUR name) []:MQTTServer 
 +Email Address []:. 
 +</code> 
 +The two last questions can be ignored, just hit enter. 
 +<code> 
 +Please enter the following 'extra' attributes 
 +to be sent with your certificate request 
 +A challenge password []: 
 +An optional company name []: 
 +</code> 
 +===Verify and sign the request===
 <code> <code>
 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600
Line 42: Line 67:
  
 ===Copy the certificates to Mosquitto=== ===Copy the certificates to Mosquitto===
 +
 +We may have to change user to a super user. I.e
 +<code>su pixi-admin</code>
  
 <code> <code>
Line 68: Line 96:
 password_file /etc/mosquitto/conf.d/pixi-pwd password_file /etc/mosquitto/conf.d/pixi-pwd
 allow_anonymous false allow_anonymous false
-tls_version tlsv1.2+
  
 </code> </code>
Line 75: Line 103:
 systemctl restart mosquitto systemctl restart mosquitto
 </code> </code>
 +
 +