MQTT Server
- 安裝
sudo apt-get install mosquitto
- Certification for Server and Client
Step 1: Create a Certificate Authority (CA):
a. Generate a private key for the CA:
$ openssl genpkey -algorithm RSA -out ca.key
b. Create a self-signed certificate for the CA:
$ openssl req -x509 -new -key ca.key -out ca.crt
Step 2: Create Server Certificate and Key
a. Generate a private key for the server:
$ openssl genpkey -algorithm RSA -out server.key
b. Create a Certificate Signing Request (CSR) for the server:
$ openssl req -new -key server.key -out server.csr
Common Name (CN) Matching:
Make sure that the Common Name (CN) in the server certificate matches the hostname or IP address used to connect to the MQTT broker.
If you are connecting to 127.0.0.1, the CN should be set to 127.0.0.1 in the server certificate.
c. Sign the server CSR with the CA:
$ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
Step 3: Create Client Certificate and Key
a. Generate a private key for the client:
$ openssl genpkey -algorithm RSA -out client.key
b. Create a Certificate Signing Request (CSR) for the client:
$ openssl req -new -key client.key -out client.csr
c. Sign the client CSR with the CA:
$ openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
$ tree
├── ca.crt
├── ca.key
├── client.crt
├── client.csr
├── client.key
├── server.crt
├── server.csr
└── server.key
$ chmod 644 *.crt *.key *.csr
$ sudo cp ca.* server.* /etc/mosquitto/certs/1. ChatGPT 3.5
2. ref: 如何自动创建Mosquitto的TLS证书?
3. https://segmentfault.com/a/1190000014250065
- 設定
sudo vim /etc/mosquitto/conf.d/default.conf (create default.conf by myself)
listener 8883
protocol mqtt
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
allow_anonymous true
require_certificate false
#tls_version tlsv1.2
log_type debug
require_certificate false
- Start Server
$ sudo systemctl stop mosquitto.service
$ mosquitto -c /etc/mosquitto/conf.d/default.conf -v //easy debug
or
$ sudo systemctl restart mosquitto.service
MQTT Publish/Subscribe for client
- 測試
$ mosquitto_sub -h 127.0.0.1 -p 8883 -t 'test/topic' --cafile ./ca.crt --cert ./client.crt --key ./client.key -q 1
$ mosquitto_pub -h 127.0.0.1 -p 8883 -t 'test/topic' -m hello_world -p 8883 --cafile ./ca.crt --cert ./client.crt --key ./client.key -q 1
or
$ mosquitto_sub -h 127.0.0.1 -p 8883 -t 'test/topic' --cafile ./ca.crt -q 1
$ mosquitto_pub -h 127.0.0.1 -p 8883 -t 'test/topic' -m hello_world -p 8883 --cafile ./ca.crt -q 1
PEM convert DER (還沒在 EXS82-W 上試過, 不能連區網...)
$ openssl x509 -req -in client.csr -inform PEM -signkey ca.key -out client.der -outform DER -days 364
沒有留言:
張貼留言