MQTT_TLS1.3 建置

# MQTT_TLS1.3 建置 github : https://github.com/Kevin8701111/MQTT_CA_IOTA ## 前置作業 1. CA Server x1 2. MQTT Server x1 3. MQTT Client x1 ## Mosquitto MQTT 建置 ### MQTT Server ```bash= sudo apt install mosquitto sudo service mosquitto status ``` ### MQTT Client ```bash= sudo apt install mosquitto-clients ``` ## Cert 建置 ### CA Server ###### Name="pcname" 改為自己CA Server的Name ```bash= #!/bin/bash Name="pcname" SUBJECT_CA="/C=TW/ST=Taiwan/L=Taichung/O=NCHU/OU=2111/CN=$Name" function generate_CA{ echo "$SUBJECT_CA" openssl req -x509 -nodes -sha256 -newkey rsa:2048 -subj "$SUBJECT_CA" -days 365 -keyout ca.key -out ca.crt generate_CA ``` ### MQTT Server ```bash= #!/bin/bash Name="pcname" SUBJECT_SERVER="/C=TW/ST=NCHU.TWISC/L=Taichung/O=2111/OU=Server/CN=$Name" function generate_server{ echo "$SUBJECT_SERVER" openssl req -nodes -sha256 -new -subj "$SUBJECT_SERVER" -keyout server.key -out server.csr } generate_server ``` ### MQTT Client ```bash= #!/bin/bash Name="pcname" SUBJECT_CLIENT="/C=TW/ST=NCHU.TWISC/L=Taichung/O=2111/OU=Client/CN=$Name" function generate_client{ echo "$SUBJECT_CLIENT" openssl req -new -nodes -sha256 -subj "$SUBJECT_CLIENT" -out client.csr -keyout client.key } generate_client ``` ###### windows genkey ecdsa ###### 解壓縮後進入D:\kevin_space\project\MQTT_K\openssl-1.1\prerequisites ###### 執行VC_redist.x64.exe ```bash= set OPENSSL_CONF=D:\kevin_space\project\MQTT_K\openssl-1.1\ssl\openssl.cnf openssl ecparam -name secp384r1 -genkey -out kevin-hp1-ecc.key openssl req -new -key kevin-hp1-ecc.key -out kevin-hp1-ecc.csr -subj "/C=TW/ST=Taiwan/L=Taichung/O=NCHU/OU=2111/CN=kevin-hp1" scp kevin-hp1-ecc.csr CAserverName@CAserverIP:/home/kevin-pc8/kevin-space/git-push/MQTT_CA_IOTA/democa_file/ scp CAserverName@CAserverIP:/home/kevin-pc8/kevin-space/git-push/MQTT_CA_IOTA/democa_file/kevin-hp1-ecc.crt . ``` ### 將所有的csr給CA Server認證 CA Server$ ```bash= scp User@ServerIP:csr完整路徑(用pwd看) ./ scp User@ClientIP:csr完整路徑(用pwd看) ./ Run Bash #!/bin/bash Name="pcname" SUBJECT_CA="/C=TW/ST=Taiwan/L=Taichung/O=NCHU/OU=2111/CN=$pcname" function generate_CA{ openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 } generate_CA ``` ### 將認證完的crt傳回原本的主機 CA Server$ ```bash= scp server.crt ca.crt User@ServerIP:crt保存的地方(自訂，到時候pub sub都會指定這個目錄) scp client.crt ca.crt User@ClientIP:crt保存的地方(自訂，到時候pub sub都會指定這個目錄) ``` ### 設定MQTT Server Config MQTT Server$ ```bash= cp server.* /etc/mosquitto/certs/ cp ca.crt /etc/mosquitto/certs/ sudo nano /etc/mosquitto/mosquitto.conf 全選貼上以下設定 """ # Place your local configuration in /etc/mosquitto/conf.d/ # # A full description of the configuration file is at # /usr/share/doc/mosquitto/examples/mosquitto.conf.example persistence true persistence_location /var/lib/mosquitto/ listener 8883 protocol mqtt log_type all connection_messages true log_timestamp true cafile /etc/mosquitto/certs/ca.crt certfile /etc/mosquitto/certs/server.crt keyfile /etc/mosquitto/certs/server.key require_certificate true use_identity_as_username true """ ``` ###### 載入設定檔 ```bash= sudo mosquitto -v -c mosquitto.conf or sudo service mosquitto restart sudo service mosquitto status (查看是否正常啟動) ``` ### 設定MQTT TLS 測試 ```bash= mosquitto_sub -h MQTT_ServerIP -p 8883 -t "kk/123" --cafile ca.crt --cert server.crt --key server.key -d mosquitto_pub -h MQTT_ServerIP -p 8883 -t "kk/123" --cafile ca.crt --cert server.crt --key server.key -m "123" -d ``` mosquitto_sub --cafile AmazonRootCA3.pem --cert iot_core_kevin_test.cert.pem --key iot_core_kevin_test.private.key -h iot_core_kevin_test -p 8883 -q 0 -t mosquitto/with/aws -i iot_core_kevin_test-sub --tls-version tlsv1.2 -d -V mqttv5