0、本地PKI环境
TODO openssl.cnf
1、生成 CA 自签名证书
openssl genrsa -out certs/root-ca.key 2048 生成私钥
openssl req -new -x509 -days 365 -config ./openssl.cnf -key certs/root-ca.key -out certs/root-cacert.pem -subj "/C=CN/ST=NANJING/O=EMQ/CN=RootCA" 生成证书,pem文件,包含公钥和一些其他信息
openssl rsa -in certs/root-ca.key -text 查看私钥信息
openssl rsa -pubin -in rsa_public.key -text 查看公钥信息
openssl x509 -in certs/root-cacert.pem -noout -text 查看证书内容
2、签发客户端证书
openssl genrsa -out certs/client.key 2048
openssl req -new -days 365 -key certs/client.key -out certs/client-cert.csr -subj "/C=CN/ST=NANJING/O=EMQ/CN=Client"
openssl ca -config ./openssl.cnf -extensions v3_req -days 365 -in certs/client-cert.csr -out certs/client-cert.pem -cert certs/root-cacert.pem -keyfile certs/root-ca.key
3、签发服务端证书
openssl genrsa -out certs/server.key 2048
openssl req -new -days 365 -key certs/server.key -out certs/server-cert.csr -subj "/C=CN/ST=NANJING/O=EMQ/CN=Server"
openssl ca -config ./openssl.cnf -extensions v3_req -days 365 -in certs/server-cert.csr -out certs/server-cert.pem -cert certs/root-cacert.pem -keyfile certs/root-ca.key
4、验证
==》使用openssl verify验证
openssl verify -CAfile certs/root-cacert.pem certs/server-cert.pem 使用根证书验证签发的server证书
==》使用openssl s_server, s_client验证
单向认证测试
$ openssl s_server -accept 2009 -key certs/server.key -cert certs/server-cert.pem 开启认证server
$ openssl s_client -connect localhost:2009 -CAfile certs/root-cacert.pem -showcerts
Verify return code: 0 (ok)
双向认证测试
$ openssl s_server -accept 2009 -key certs/server.key -cert certs/server-cert.pem -CAfile certs/root-cacert.pem -Verify 1
$ openssl s_client -connect localhost:2009 -key certs/client.key -cert certs/client-cert.pem -CAfile certs/root-cacert.pem -showcerts
Verify return code: 0 (ok)
5、配置EMQX
cp certs/* /usr/local/src/emqx-centos7-v4.1.4/emqx/etc/certs/
配置 etc/emqx.conf文件,(参考下面的文件)
单向验证
echo -en "\x10\x0d\x00\x04MQTT\x04\x00\x00\x00\x00\x01a" | openssl s_client -connect localhost:8883 -CAfile certs/root-cacert.pem -showcerts
双向验证
echo -en "\x10\x0d\x00\x04MQTT\x04\x00\x00\x00\x00\x01a" | openssl s_client -connect localhost:8883 -CAfile certs/root-cacert.pem -cert certs/client-cert.pem -key certs/client.key -showcerts
参考:
https://www.emqx.io/cn/blog/enable-two-way-ssl-for-emqx
https://www.jianshu.com/p/3659fa4bd226
https://blog.csdn.net/wzfgd/article/details/109805158
https://www.cnblogs.com/bluestorm/p/10571989.html