Add labs

2026-02-03 22:29:46 +01:00
commit 8fdf5827e4
156 changed files with 23069 additions and 0 deletions
--- a/04-mosquitto/lab08/lab.txt
+++ b/04-mosquitto/lab08/lab.txt
@ -0,0 +1,76 @@
+= Verwendung mTLS in Mosquitto
+
+
+Erstellen Sie ein self-signed (CA) Zertifikat.
+
+
+$ openssl req -new -x509 -newkey rsa:4096 -nodes -keyout ca-key.pem -out ca-cert.pem \
+ -days 365 -subj "/CN=My-CA" -addext "basicConstraints=critical,CA:TRUE" \
+ -addext "keyUsage=critical,keyCertSign,cRLSign" 
+
+
+Signieren Sie damit ein selbst erstelltes Zertifikat für den Broker.
+
+$ openssl genrsa -out server-key.pem 2048
+$ openssl req -new -key server-key.pem -out request.pem -subj "/CN=localhost" \
+  -addext 'subjectAltName=DNS:localhost,IP:127.0.0.1' \
+  -addext "keyUsage=digitalSignature,keyEncipherment" \
+  -addext "extendedKeyUsage=serverAuth"
+
+$ openssl x509 -req -days 365 -in request.pem -CA ca-cert.pem -CAkey ca-key.pem \
+ -set_serial 01 -out server-cert.pem -copy_extensions copyall
+$ rm request.pem
+
+
+Signieren Sie damit ein selbst erstelltes Zertifikat für den Client.
+
+$ openssl genrsa -out client-key.pem 2048
+$ openssl req -new -key client-key.pem -out request.pem -subj "/CN=thomas" \
+  -addext "keyUsage=digitalSignature" \
+  -addext "extendedKeyUsage=clientAuth"
+$ openssl x509 -req -days 365 -in request.pem -CA ca-cert.pem -CAkey ca-key.pem \
+ -set_serial 01 -out client-cert.pem -copy_extensions copyall
+$ rm request.pem
+
+
+Konfigurieren Sie damit einen zusätzlichen Listener in Mosquitto (`certfile`, `keyfile`) Port 8883
+
+
+listener 1883
+listener_allow_anonymous true
+password_file /mosquitto/config/users.txt
+acl_file /mosquitto/config/acl.txt
+
+listener 8883
+listener_allow_anonymous true
+certfile /mosquitto/config/server-cert.pem
+keyfile /mosquitto/config/server-key.pem
+require_certificate true
+cafile /mosquitto/config/ca-cert.pem
+
+
+$ docker run --rm -it --init --net host -v $PWD/config:/mosquitto/config eclipse-mosquitto
+
+
+Konfigurieren Sie das CA und Client Zertifikat im Client und greifen per mTLS auf Mosquitto zu.
+
+$ docker run --rm -it --init --net host -v $PWD/config:/data eclipse-mosquitto \
+ mosquitto_pub --port 8883 -V 5 --qos 1 --topic freeforall --message "this is secure"  \
+ --cafile /data/ca-cert.pem --cert /data/client-cert.pem \
+ --key /data/client-key.pem --debug
+
+
+Erweitern Sie die Konfiguration mit `use_identity_as_username true`
+
+listener 1883
+listener_allow_anonymous true
+password_file /mosquitto/config/users.txt
+acl_file /mosquitto/config/acl.txt
+
+listener 8883
+listener_allow_anonymous false
+use_identity_as_username true
+certfile /mosquitto/config/server-cert.pem
+keyfile /mosquitto/config/server-key.pem
+require_certificate true
+cafile /mosquitto/config/ca-cert.pem