Home > OS >  MQTT mosquitto - set up client for intermediate CA
MQTT mosquitto - set up client for intermediate CA

Time:08-31

I have created CA, intermediate CA and certificates signed by intermediate CA by these commands:

CA:
openssl req -new -newkey rsa:4096 -days 365 -extensions v3_ca -subj "/C=CZ/ST=aa/L=bb/O=company/OU=development/CN=ca/" -nodes -x509 -sha256 -set_serial 0 -keyout ca.key -out ca.crt

Intermediate CA:
openssl genrsa -out subca.key 4096
openssl req -new -key subca.key -out subca.csr
openssl x509 -req -days 365 -in subca.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out subca.crt -extfile openssl.cfg -extensions v3_ca

Server:
openssl req -newkey rsa:4096 -nodes -keyout server.key -subj "/C=CZ/ST=aa/L=bb/O=company/OU=development/CN=server/" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=IP:177.18.0.1") -days 365 -in server.csr -CA subca.crt -CAkey subca.key -CAcreateserial -out server.crt

Client:
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -subj "/C=CZ/ST=aa/L=bb/O=company/OU=development/CN=client/" -out client.csr
openssl x509 -req -in client.csr -CA subca.crt -CAkey subca.key -CAcreateserial -out client.crt -days 365

When I verify server or client certificate, everything seems good. Verify command I use:

openssl verify -verbose -CAfile <(cat subca.crt ca.crt) server.crt

I wanted to connect to the mosquitto with TLS/SSl support with these certificates. I setup mosquitto configuration like this:

listener 1883
require_certificate false
allow_anonymous true

listener 8883

capath /mosquitto/config/certs/ca/
certfile /mosquitto/config/certs/server.crt
keyfile /mosquitto/config/certs/server.key

require_certificate true
allow_anonymous true
use_identity_as_username true

But when I want to connect with my client, I do not know how to set function tls_set() for intermediate CA. Can you help me to setup this function ? When I look to the official documentation https://www.eclipse.org/paho/index.php?page=clients/python/docs/index.php#option-functions for function tls_set(), there is sentence that says:

"ca_certs = a string path to the Certificate Authority certificate files that are to be treated as trusted by this client."

But I don't know how to put more certificates there and I cannot put there directory.

I know how to do it for root CA and signed certificate by this CA.

CodePudding user response:

You need to create a single file that contains all the CA certificates, much in the same way you used cat subca.crt ca.crt to pass in a "single" file to the openssl verify command.

So cat subca.crt ca.crt > ca-chain.crt (order is important)

And then pass the path to that file in the client.

p.s. You probably want per_listener_settings true if you are going to require different authentication options per listener and require_certificate false on the first listener is not doing anything in much the same way that allow_anonymous true for the second listener doesn't do anything useful if you are requiring a client certificate.

CodePudding user response:

hardillb suggested me to use for client:

cat subca.crt ca.crt > ca-chain.crt (order is important)

When I used it only for client it still did not work, but as soon as I also used file ca-chain.crt for server, it works.

So change line capath /mosquitto/config/certs/ca/ in mosquitto configuration and use cafile /mosquitto/config/test/ca-chain.pem instead.

  • Related