centos7은 openssl 기본적으로 설치 되어있기때문에 바로 인증서 셋업
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 기간 -key ca.key -out ca.crt
(
Country Name : KR
State or Province Name : SEOUL
Locality Name : NONHYUN
Organization Name : ALAN
Organization Unit Name : Comp
Common Name : 도메인 또는 컴퓨터 이름
Email Address :
)
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
(
Country Name : KR
State or Province Name : SEOUL
Locality Name : NONHYUN
Organization Name : ALAN
Organization Unit Name : Server
Common Name : 도메인 또는 컴퓨터 이름
Email Address :
Achallange password : abcd
An optional company name :
)
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 기간
openssl verify -CAfile ca.crt server.crt
openssl genrsa -out client.key 2048
openssl req -new -out client.csr -key client.key
(
Country Name : KR
State or Province Name : SEOUL
Locality Name : NONHYUN
Organization Name : ALAN
Organization Unit Name : Client
Common Name : 도메인 또는 컴퓨터 이름
Email Address :
Achallange password : abcd
An optional company name :
)
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 기간
openssl verify -CAfile ca.crt client.crt
주의사항
Organization Unit Name 입력을 총 세번 하는데 모두다 달라야한다.
Common Name 은 모두 같아야한다.
검색해봐도 나오는 문서가 많지않아 삽질을...ㅠ
자 이제 설정 파일을 수정해서 암호화가 적용된 MQTT 브로커를 띄울 차례다.
Default listener 편집
211 # Port to use for the default listener.
212 #port 1883
213 #openSSL 포트
214 port 8883
일단 기본적으로 port 값을 8883 으로 변경
264 # At least one of cafile or capath must be defined. They both
265 # define methods of accessing the PEM encoded Certificate
266 # Authority certificates that have signed your server certificate
267 # and that you wish to trust.
268 # cafile defines the path to a file containing the CA certificates.
269 # capath defines a directory that will be searched for files
270 # containing the CA certificates. For capath to work correctly, the
271 # certificate files must have ".crt" as the file ending and you must run
272 # "openssl rehash <path to capath>" each time you add/remove a certificate.
273 #cafile
274 cafile /etc/mosquitto/ssl/ca.crt
275 #capath
276
277 # Path to the PEM encoded server certificate.
278 #certfile
279 certfile /etc/mosquitto/ssl/server.crt
280
281 # Path to the PEM encoded keyfile.
282 #keyfile
283 keyfile /etc/mosquitto/ssl/server.key
경로 지정
304 # By default a TLS enabled listener will operate in a similar fashion to a
305 # https enabled web server, in that the server has a certificate signed by a CA
306 # and the client will verify that it is a trusted certificate. The overall aim
307 # is encryption of the network traffic. By setting require_certificate to true,
308 # the client must provide a valid certificate in order for the network
309 # connection to proceed. This allows access to the broker to be controlled
310 # outside of the mechanisms provided by MQTT.
311 require_certificate true
312
313 # This option defines the version of the TLS protocol to use for this listener.
314 # The default value allows all of v1.3, v1.2 and v1.1. The valid values are
315 # tlsv1.3 tlsv1.2 and tlsv1.1.
316 #tls_version
317
319 # If require_certificate is true, you may set use_identity_as_username to true
320 # to use the CN value from the client certificate as a username. If this is
321 # true, the password_file option will not be used for this listener.
322 # This takes priority over use_subject_as_username.
323 # See also use_subject_as_username.
324 use_identity_as_username true
밑줄친 부분 설정
확장 리스너 설정 때문에 빗스한 부분이 많이 나오기때문에 범위를 좀 잡고 편집함
tls 버전 명시 하지않아도 1.1, 1.2, 1.3 다포함함
그밖에 extra listener socket 변환등등 여러 설정 작업이 가능 하지만 시간관계상 패스
pub/sub 확인
sub
mosquitto_sub -t topic -p 8883 -h 위에서 입력한 컴퓨터 호스트명(Common Name) --cafile /인증서파일경로/ca.crt --cert /인증서파일경로/client.crt --key /인증서파일경로/client.key
topic 이라는 메세지를 구독함
pub
mosquitto_pub -t topic -p 8883 -h 위에서 입력한 컴퓨터 호스트명(Common Name) --cafile /인증서파일경로/ca.crt --cert /인증서파일경로/client.crt --key /인증서파일경로/client.key -m 메세지
topic 으로 메세지 발행함 메세지에 공백이 존제하면 "" 으로 감싸줘야함
댓글 없음:
댓글 쓰기