= Verwendung mTLS in Mosquitto


Erstellen Sie ein self-signed (CA) Zertifikat.


$ openssl req -new -x509 -newkey rsa:4096 -nodes -keyout ca-key.pem -out ca-cert.pem \
 -days 365 -subj "/CN=My-CA" -addext "basicConstraints=critical,CA:TRUE" \
 -addext "keyUsage=critical,keyCertSign,cRLSign" 


Signieren Sie damit ein selbst erstelltes Zertifikat für den Broker.

$ openssl genrsa -out server-key.pem 2048
$ openssl req -new -key server-key.pem -out request.pem -subj "/CN=localhost" \
  -addext 'subjectAltName=DNS:localhost,IP:127.0.0.1' \
  -addext "keyUsage=digitalSignature,keyEncipherment" \
  -addext "extendedKeyUsage=serverAuth"

$ openssl x509 -req -days 365 -in request.pem -CA ca-cert.pem -CAkey ca-key.pem \
 -set_serial 01 -out server-cert.pem -copy_extensions copyall
$ rm request.pem


Signieren Sie damit ein selbst erstelltes Zertifikat für den Client.

$ openssl genrsa -out client-key.pem 2048
$ openssl req -new -key client-key.pem -out request.pem -subj "/CN=thomas" \
  -addext "keyUsage=digitalSignature" \
  -addext "extendedKeyUsage=clientAuth"
$ openssl x509 -req -days 365 -in request.pem -CA ca-cert.pem -CAkey ca-key.pem \
 -set_serial 01 -out client-cert.pem -copy_extensions copyall
$ rm request.pem


Konfigurieren Sie damit einen zusätzlichen Listener in Mosquitto (`certfile`, `keyfile`) Port 8883


listener 1883
listener_allow_anonymous true
password_file /mosquitto/config/users.txt
acl_file /mosquitto/config/acl.txt

listener 8883
listener_allow_anonymous true
certfile /mosquitto/config/server-cert.pem
keyfile /mosquitto/config/server-key.pem
require_certificate true
cafile /mosquitto/config/ca-cert.pem


$ docker run --rm -it --init --net host -v $PWD/config:/mosquitto/config eclipse-mosquitto


Konfigurieren Sie das CA und Client Zertifikat im Client und greifen per mTLS auf Mosquitto zu.

$ docker run --rm -it --init --net host -v $PWD/config:/data eclipse-mosquitto \
 mosquitto_pub --port 8883 -V 5 --qos 1 --topic freeforall --message "this is secure"  \
 --cafile /data/ca-cert.pem --cert /data/client-cert.pem \
 --key /data/client-key.pem --debug


Erweitern Sie die Konfiguration mit `use_identity_as_username true`

listener 1883
listener_allow_anonymous true
password_file /mosquitto/config/users.txt
acl_file /mosquitto/config/acl.txt

listener 8883
listener_allow_anonymous false
use_identity_as_username true
certfile /mosquitto/config/server-cert.pem
keyfile /mosquitto/config/server-key.pem
require_certificate true
cafile /mosquitto/config/ca-cert.pem