生成证书
首先:需要安装Openssl
以下是openssl命令
生成CA证书
bash
1.openssl genrsa -out rootCA.key 2048
2.openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -subj "/C=CN/ST=Shandong/L=jinan/O=yunding/OU=platform/CN=rootCA" -out rootCA.crt生成服务端证书
bash
1.openssl genrsa -out outkey/IoTServerEmq.key 2048 (IoTServerEmq.key RSA加密的)
2.openssl req -new -key outkey/IoTServerEmq.key -out outkey/IoTServerEmq.csr -subj /C=CN/ST=Shandong/L=Jinan/O=yunding/OU=Iot/CN=IoTServerEmq
3.openssl pkcs8 -topk8 -in outkey/IoTServerEmq.key -out outkey/IoTServerEmq.pem -nocrypt
4.openssl x509 -req -in outkey/IoTServerEmq.csr -out outkey/IoTServerEmq.crt -CA outkey/rootCA.crt -CAkey outkey/rootCA.key -CAcreateserial -days 10950 -passin pass:password -extfile outkey/openssl3.cfg -extensions v3_req生成client证书
bash
1.openssl genrsa -out outkey/IoTClientDm.key 2048
2.openssl req -new -key outkey/IoTClientDm.key -out outkey/IoTClientDm.csr -subj /C=CN/ST=Shandong/L=Jinan/O=yunding/OU=Iot/CN=IoTClientDm
3.openssl pkcs8 -topk8 -in outkey/IoTClientDm.key -out outkey/IoTClientDm.pem -nocrypt (IoTClientDm.pem 不加密的)
4.openssl x509 -req -in outkey/IoTClientDm.csr -out outkey/IoTClientDm.crt -CA outkey/rootCA.crt -CAkey outkey/rootCA.key -CAcreateserial -days 36500 -passin pass:password -extfile outkey/openssl3.cfg -extensions v3_req生成如下文件:
存放证书
将生成的CA证书,Server证书,Server私钥放到etc/certs目录
修改EMQX配置文件
配置emqx.conf:
证书存放地址
listener.ssl.external.keyfile = etc/certs/yunding/IoTServerEmq.key
listener.ssl.external.certfile = etc/certs/yunding/IoTServerEmq.crt
listener.ssl.external.cacertfile = etc/certs/yunding/rootCA.crt
开启端对端认证
listener.ssl.external.verify = verify_peer
强制开启双向认证,如果客户端无法提供证书,则 SSL/TLS 连接将被拒绝
listener.ssl.external.fail_if_no_peer_cert = true
客户端连接
官方手册:
获取ssl/tsl证书:
https://www.emqx.io/docs/zh/v5.1/network/tls-certificate.html#创建自签名证书
开启ssl/tsl连接:
https://www.emqx.io/docs/zh/v5.1/network/emqx-mqtt-tls.html#安全优势