#EMQ Broker 如何配置MQTT加密认证,单向、双向加密
##生成证书
###自签名CA
openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........................+++++
.+++++
e is 65537 (0x010001)
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
here are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShangHai
Locality Name (eg, city) []:SH
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KevinChen
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.mqtt.com
Email Address []:
###生成服务器端证书
openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
....+++++
e is 65537 (0x010001)
openssl req -new -key ./server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShangHai
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KC
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:mqtt.mqtt.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
openssl x509 -req -in ./server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 3650 -sha256
Signature ok
subject=C = CN, ST = ShangHai, O = KC, CN = mqtt.mqtt.com
Getting CA Private Key
###生成客户端证书
openssl genrsa -out client.key 2048
openssl req -new -key ./client.key -out client.csr
openssl x509 -req -in ./client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem -days 3650 -sha256
!!! ⚠️注意 证书要给可读权限,建议直接 chmod -R 777 certs/* !!!
##普通配置
配置 etc/emqx.conf
###配置SSL
listener.ssl.external.keyfile = /etc/certs/server.key
listener.ssl.external.certfile = /etc/certs/server.pem
listener.ssl.external.cacertfile = /etc/certs/ca.pem
###单向认证
listener.ssl.external.verify = verify_peer
listener.ssl.external.fail_if_no_peer_cert = false
###双向认证
listener.ssl.external.verify = verify_peer
listener.ssl.external.fail_if_no_peer_cert = false
##Docker配置
###启动
docker run -d --name emqx -p 8883:8883 -p -v /path/certs:/opt/emqx/certs 883:1883 emqx/emqx:v4.1.0
##路径配置
/path/certs:/opt/emqx/certs
!!! ⚠️注意 证书要给可读权限,建议直接 chmod -R 777 certs/* !!!
##配置SSL(环境变量)
EMQX_LISTENER__SSL__EXTERNAL__KEYFILE=/opt/emqx/certs/server.key
EMQX_LISTENER__SSL__EXTERNAL__CERTFILE=/opt/emqx/certs/server.pem
EMQX_LISTENER__SSL__EXTERNAL__CACERTFILE=/opt/emqx/certs/ca.pem
###单向认证(环境变量)
EMQX_LISTENER__SSL__EXTERNAL__VERIFY=verify_peer
EMQX_LISTENER__SSL__EXTERNAL__FAIL_IF_NO_PEER_CERT=false
###双向认证(环境变量)
EMQX_LISTENER__SSL__EXTERNAL__VERIFY=verify_peer
EMQX_LISTENER__SSL__EXTERNAL__FAIL_IF_NO_PEER_CERT=true
参考
- https://docs.emqx.io/broker/latest/cn/configuration/configuration.html
- https://blog.csdn.net/zljintan/article/details/83619309