trainer/labs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
labs/04-mosquitto/lab08/lab.txt
Thomas Kruse 8fdf5827e4 Add labs
2026-02-03 22:29:46 +01:00

77 lines
2.5 KiB
Plaintext
Raw Permalink Blame History

= Verwendung mTLS in Mosquitto
Erstellen Sie ein self-signed (CA) Zertifikat.
$ openssl req -new -x509 -newkey rsa:4096 -nodes -keyout ca-key.pem -out ca-cert.pem \
-days 365 -subj "/CN=My-CA" -addext "basicConstraints=critical,CA:TRUE" \
-addext "keyUsage=critical,keyCertSign,cRLSign"
Signieren Sie damit ein selbst erstelltes Zertifikat für den Broker.
$ openssl genrsa -out server-key.pem 2048
$ openssl req -new -key server-key.pem -out request.pem -subj "/CN=localhost" \
-addext 'subjectAltName=DNS:localhost,IP:127.0.0.1' \
-addext "keyUsage=digitalSignature,keyEncipherment" \
-addext "extendedKeyUsage=serverAuth"
$ openssl x509 -req -days 365 -in request.pem -CA ca-cert.pem -CAkey ca-key.pem \
-set_serial 01 -out server-cert.pem -copy_extensions copyall
$ rm request.pem
Signieren Sie damit ein selbst erstelltes Zertifikat für den Client.
$ openssl genrsa -out client-key.pem 2048
$ openssl req -new -key client-key.pem -out request.pem -subj "/CN=thomas" \
-addext "keyUsage=digitalSignature" \
-addext "extendedKeyUsage=clientAuth"
$ openssl x509 -req -days 365 -in request.pem -CA ca-cert.pem -CAkey ca-key.pem \
-set_serial 01 -out client-cert.pem -copy_extensions copyall
$ rm request.pem
Konfigurieren Sie damit einen zusätzlichen Listener in Mosquitto (`certfile`, `keyfile`) Port 8883
listener 1883
listener_allow_anonymous true
password_file /mosquitto/config/users.txt
acl_file /mosquitto/config/acl.txt
listener 8883
listener_allow_anonymous true
certfile /mosquitto/config/server-cert.pem
keyfile /mosquitto/config/server-key.pem
require_certificate true
cafile /mosquitto/config/ca-cert.pem
$ docker run --rm -it --init --net host -v $PWD/config:/mosquitto/config eclipse-mosquitto
Konfigurieren Sie das CA und Client Zertifikat im Client und greifen per mTLS auf Mosquitto zu.
$ docker run --rm -it --init --net host -v $PWD/config:/data eclipse-mosquitto \
mosquitto_pub --port 8883 -V 5 --qos 1 --topic freeforall --message "this is secure" \
--cafile /data/ca-cert.pem --cert /data/client-cert.pem \
--key /data/client-key.pem --debug
Erweitern Sie die Konfiguration mit `use_identity_as_username true`
listener 1883
listener_allow_anonymous true
password_file /mosquitto/config/users.txt
acl_file /mosquitto/config/acl.txt
listener 8883
listener_allow_anonymous false
use_identity_as_username true
certfile /mosquitto/config/server-cert.pem
keyfile /mosquitto/config/server-key.pem
require_certificate true
cafile /mosquitto/config/ca-cert.pem
Reference in New Issue View Git Blame Copy Permalink