-
参考文章
EMQX MQTT 服务器启用 SSL/TLS 安全连接 | EMQ
EMQX 启用双向 SSL/TLS 安全连接 | EMQ
java连接MQTT+SSL服务器 - 简书
-
bash脚本,生成自签名ca、服务端、客户端的key和证书
#/bin/sh
rm -f ca.*
rm -f emqx.*
rm -f client.*
# 生成自签名的CA key和证书
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem -subj "/C=CN/ST=Jiangsu/L=Suzhou/O=XXX/CN=SelfCA"
#openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem
# 生成服务器端的key和证书
openssl genrsa -out emqx.key 2048
openssl req -new -key ./emqx.key -config openssl.cnf -out emqx.csr
openssl x509 -req -in ./emqx.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out emqx.pem -days 3650 -sha256 -extensions v3_req -extfile openssl.cnf
# 生成客户端key和证书
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=Jiangsu/L=Suzhou/O=XXX/CN=client"
openssl x509 -req -days 3650 -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem
-
openssl.cnf配置文件
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = Jiangsu
localityName = Suzhou
organizationName = XXX
commonName = Emqx
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.60.135
IP.2 = 127.0.0.1
#DNS.1 = BROKER_ADDRESS
-
验证证书是否有效
openssl verify -CAfile ca.pem emqx.pem openssl verify -CAfile ca.pem client.pem
-
将证书文件拷贝到emqx\etc\certs目录下(默认目录),并修改配置文件emqx.conf。SSL/TLS 双向连接的启用及验证
listener.ssl.external = 8883 listener.ssl.external.keyfile = etc/certs/emqx.key listener.ssl.external.certfile = etc/certs/emqx.pem listener.ssl.external.cacertfile = etc/certs/ca.pem ##开启双向认证 listener.ssl.external.verify = verify_peer listener.ssl.external.fail_if_no_peer_cert = true
- mqttx连接验证
- mqtt.fx连接验证
- faq
1、Received fatal alert: protocol_version |
JDK1.8请求远程服务默认打开的协议TLSv1.2,但是JDK1.7默认打开的是TLSv1 SSLContext context = SSLContext.getInstance("TLSv1.2"); |
2、No subject alternative names present |
指定openssl的配置文件,里面有subjectAltName的配置 |
3、Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 127.0.0.1 is not in the cert's list: |
将服务器ip配置在openssl的[alt_names],支持多个ip |