mosquitto SSL配置

生成证书

ca

• openssl genrsa -des3 -out ca.key 2048

# openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
......................................+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:                                              【输入CA私钥密码，后面签名会用】
Verifying - Enter pass phrase for ca.key:                             【输入CA私钥密码，后面签名会用】

• openssl req -new -x509 -days 1826 -key ca.key -out ca.crt

]# openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
Enter pass phrase for ca.key:                                                     【輸入ca密匙密码，就是上面的密码】
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                                        【国家代码，两个字母】
State or Province Name (full name) []:BeiJing                                               【省，可省略不填】
Locality Name (eg, city) [Default City]:BeiJing                                             【市，可省略不填】
Organization Name (eg, company) [Default Company Ltd]:company          【证书持有者所属组织或公司】
Organizational Unit Name (eg, section) []:                                                【证书持有者所属部门，可以不填】
Common Name (eg, your name or your server's hostname) []:              【域名，一定不要和sever、client端证书的这个字段相同】
Email Address []:    【邮件，可以不填】

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                             【自定义密码，可以不填】                      
An optional company name []:                      【可选公司名称，可以不填】

server

• openssl genrsa -out server.key 2048

  openssl genrsa -out server.key 2048
  

• openssl req -new -out server.csr -key server.key (提示的输入与上面类似)

  openssl req -new -out server.csr -key server.key
  

• openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

  openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
  

client

• openssl genrsa -out client.key 2048

  openssl genrsa -out client.key 2048
  

• openssl req -new -out client.csr -key client.key (提示的输入与上面类似)

  openssl req -new -out client.csr -key client.key
  

• openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360

  openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360
  

所有命令写在一起：

ca
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
server
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650
client
openssl genrsa -out client.key 2048
openssl req -new -out client.csr -key client.key
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650

验证

openssl verify -CAfile ca.crt server.crt

image.png

在配置文件最后加上
vim /etc/mosquitto/mosquitto.conf

port 8883
cafile /home/ubuntu/ca/ca.crt
certfile /home/ubuntu/ca/server.crt
keyfile /home/ubuntu/ca/server.key
#开启双向认证
require_certificate true

测试

//启动
mosquitto -c /etc/mosquitto/mosquitto.conf
//订阅
mosquitto_sub -h 127.0.0.1 -p 8883 -t "test" -u root -P 123456 --cafile /root/test/test2/ca.crt --cert /root/test/test2/client.crt --key /root/test/test2/client.key --insecure
//发布
mosquitto_pub -h 127.0.0.1 -p 8883 -t "test" -m 'nihaoa' -u root -P 123456 --cafile /root/test/test2/ca.crt --cert /root/test/test2/client.crt --key /root/test/test2/client.key --insecure