Generate certificate
# * redistributions in binary form must reproduce the above copyright # Notice, this list of conditions and th E following disclaimer in the # documentation and/or other materials provided with the distribution. # * Neither the name of the AXTLS project nor the names of its # contributors could be used to endorse or promot E products derived # from this software without specific prior written permission. # This software are provided by the COPYRIGHT holders and CONTRIBUTORS # "as are" and any EXPRESS OR implied warranties, I Ncluding, but not # LIMITED to, the implied warranties of merchantability and FITNESS for # A particular PURPOSE is DISCL Aimed. In NO EVENT shall the COPYRIGHT OWNER OR # CONTRIBUTORS is liable for any DIRECT, INDIRECT, incidental, # Special, Exempla RY, or consequential damages (including, but not LIMITED # to, procurement of substitute GOODS OR SERVICES; LOSS of Use, # DATA, OR profits; OR business Interruption) howevercaused and on any theory # of liability, WHETHER in contract, STRICT liability, or TORT (including # negligence or Otherwi SE) arising in any-out-of-the-software, even IF advised of the possibility of SUCH DAMAGE. # # # # Generate the certificates and keys for testing. # project_name= "TLS PROJECT" # Generate the OpenSSL configuration files. Cat > Ca_cert.conf << eof [req] distinguished_name = Req_distinguished_name Prom pt = no [req_ Distinguished_name] O = $PROJECT _name dodgy Certificate Authority EOF cat > Server_cert.conf < ;< eof [req] distinguished_name = Req_distinguished_name prompt & Nbsp; = no [Req_distinguished_name] o & nbsp; = $PROJECT _name CN = 192.168.111.100 EOF cat > Client_cert.conf << eof [req] Distinguished_name &n Bsp = Req_distinguished_name prompt = no [Req_distinguished_name] O = $PROJECT _name Device Certificate cn = 192.168.111.101 EOF mkdir CA mkdir server mkdir client mkdir certder # PRIvate key generation OpenSSL genrsa-out Ca.key 1024x768 OpenSSL genrsa-out server.key 1024x768 OpenSSL genrsa-out client.key 10 # cert requests OpenSSL req-out Ca.req-key ca.key-new   ; -config./ca_cert.conf OpenSSL req-out server.req-key server.key-new &nbs p; -config./server_cert.conf OpenSSL req-out client.req-key client.key-new   ; -config./client_cert.conf # Generate the actual certs. OpenSSL x509-req-in ca.req-out ca.crt -sha1-days 5000-signkey ca.key OpenSSL x509-req-in server.req-out server.crt &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&N bsp; -sha1-cacreateserial-days -CA Ca.crt-cakey Ca.key OpenSSL x509-req-in Client.req-out CLIENT.CRT -sha1-cacreateserial -days -ca ca.crt-cakey ca.key OpenSSL x509-in Ca.crt-outform der-out ca.der OpenSSL x509-in server.crt-outform der-out server.der OpenSSL x509-in client.crt-out Form der-out client.der mv ca.crt ca.key ca/mv server.crt server.key server/mv client.crt client.key client/mv ca. Der Server.der client.der certder/rm *.conf RM *.req RM *.SRL
Save the above code as makefile.sh
Make the following changes, terminal execution.
CA School Verification Certificate test
Perform the following tests to verify that the certificate is available:
$openssl verify-cafile ca/ca.crt server/server.crt$openssl verify-cafile ca/ca.crt client/client.crt
The results are as follows:
Configure single/bidirectional authentication
Step 1. Enter the configuration file
sudo vim/etc/mosquitto/mosquitto.conf
Step 2. Locate the default listener, under which the following configuration
Find the certificate based SSL/TLS support field again.
That
Port 8883cafile/etc/mosquitto/ca/ca.crtcertfile/etc/mosquitto/ca/server/server.crtkeyfile/etc/mosquitto/ca/ Server/server.keyrequire_certificate Trueuse_identity_as_username True
Configure the check file path according to your own path, this is to put the file under/etc/mosquitto/ca/
Attention!!!
Depending on one-way authentication and two-way authentication, the fields that may need to be modified are:
A) port 8883//MQTT server will select this ports listen
b) cafile/etc/mosquitto/ca/ca.crt
Two-way authentication must be configured as your CA certificate
One-way authentication (usually considered a client-verified server certificate, hereinafter) optional configuration
In one-way authentication, the server and client CA configurations must be consistent. That is, if server configures CA.CRT, the client must be configured with CA.CRT, the server does not configure CA.CRT, and the client is not configurable CA.CRT
The path must be an absolute path! !!
c) CERTFILE/ETC/MOSQUITTO/CA/SERVER/SERVER.CRT
Both single and bidirectional authentication must be configured as your server certificate
D) Keyfile/etc/mosquitto/ca/server/server.key
Both single and bidirectional authentication must be configured as your server private key
e) Require_certificate True
One-way authentication needs to be set to false, note this line, and the default is False
Bidirectional authentication must be configured to True
f) Use_identity_as_username True
One-way authentication is set to FALSE, note this line, and the default is False
Bidirectional authentication is usually set to True
As can be seen from the above, the difference between the two-way and single authentication is that, in addition to the need for one-way SSL authentication required CA certificate, server-side public and private key certificate, but also need to open the following two switches.
Require_certificate Trueuse_identity_as_username True
Restart Service
Mosquitto-c/etc/mosquitto/mosquitto.conf
If prompted port is occupied, first PS out Mosquitto, and then kill off
Ps-aux | grep "Mosquitto" kill-9 XXXXX
Single bidirectional switching
One-way authentication requires only two lines of comment:
#require_certificate True#use_identity_as_username True
As follows:
Port 8883cafile/etc/mosquitto/ca/ca/ca.crtcertfile/etc/mosquitto/ca/server/server.crtkeyfile/etc/mosquitto/ca/ Server/server.key
Open single-way authentication at the same time
Step 1.
First, the/etc/mosquitto/mosquitto.conf file is configured by default to open two-way authentication, and then find the Extra listener field
Configure as follows to open another port for one-way authentication
Step 2.
Then locate the certificate based SSL/TLS support field under this field
Step 3: Restart the service
Mosquitto-c/etc/mosquitto/mosquitto.conf
Verify
Step 1. Go to the CA certificate directory:
Step 2. Bidirectional:
Terminal One: Subscription
Mosquitto_sub-h 10.30.11.47- p 8883-t "Mqtt/server/topic"--cafile./ca/ca.crt--cert./client/client.pem--key./C Lient/client.key &
Terminal two: Release
Mosquitto_pub-h 10.30.11.47- p 8883-t "Mqtt/server/topic"-M "hello,world!"--cafile./ca/ca.crt--cert./server/se Rver.pem--key./server/server.key
Step 3. Unidirectional
Terminal One: Subscription
Mosquitto_sub-h 10.30.11.47 -P 8884-t "Mqtt/server/topic"--cafile./CA/CA.CRT &
Terminal two: Release
Mosquitto_pub-h 10.30.11.47 -P 8884-t "Mqtt/server/topic"-M "hello,world!"--cafile./ca/ca.crt
Mosquitto---SSL/TLS one-way authentication + bidirectional authentication