The ca path is not used as I told it the file location instead.I’ve used the default listener but you could also add an extra listener.Step 8:Ĭopy the CA certificate file ca.crt to the client. Use the ca_certificates folder for the CA certificate and the certs folder for the s erver certificate and key. On Linux you should already have a ca_certificates folder under /etc/mosquitto/ and also a certs folder. Step 7:Ĭopy the files ca.crt, server.crt and server.key to a folder under the mosquitto folder. This file is used when creating new server or client certificates. Note: We don’t need to copy the CA.key file. This is what the directory looks like now: Note: scripts have also been updated see note at end Step 6: Openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360 -extfile filename I mportant Note Jan2023– Due to problems with browsers requiring a SAN the command is now: Now we use the CA key to verify and sign the server certificate. Note: We don’t send this to the CA as we are the CA Step 5: You must use the same name when configuring the client connection.Ĭommand is: openssl req -new -out server.csr -key server.key You could use the IP address or Full domain name. When filling out the form the common name is important and is usually the domain name of the server.īecause I’m using Windows on a local network I used the Windows name for the computer that is running the Mosquitto broker which is ws4. Now we create a server key pair that will be used by the brokerĬommand is: openssl genrsa -out server.key 2048 Now Create a certificate for the CA using the CA key that we created in step 1Ĭommand is: openssl req -new -x509 -days 1826 -key ca.key -out ca.crt Note: it is OK to create a password protected key for the CA. Step 1:Ĭommand is: openssl genrsa -des3 -out ca.key 2048 The same commands and procedures apply to linux but the folder locations will be different and you may need to change permissions, as well as using the sudo command. Note this as done on a windows XP machine. Here is a screen shot of a comment from a reader that brought it to my attention: Note: when entering the country, organisation etc in the form don’t use exactly the same information for the CA and the server certificate as it causes problems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |