The use of TLS encryption is relatively common in the use of MQTT. There are many instructions on the TLS encryption process on the Internet, but there are few application tutorials. The EMQX software in the MQTT software supports TLS encryption, but some settings are required.
Install EMQX software
First install the EMQX software
Software Installation Instructions
Download and try EMQ products for free (emqx.com) https://www.emqx.com/zh/try?product=broker
For the convenience of testing, select the Ubuntu version and install it in the virtual machine
After the installation is complete, open the browser and enter the URL localhost:18083 or 127.0.0.1:18083
Initial default username: admin
Password: public
After logging in, see its function interface
Install OpenSSL
The next step is to install OpenSSL to generate a self-signed certificate
Software download address:
/source/index.html (openssl.org)https://www.openssl.org/source/
Here I choose version 1.1.1
Unzip the downloaded installation package
tar -xvf openssl-1.1.1s.tar.gz
Then enter the unzipped folder
cd openssl-1.1.1s/
Set the installation path
./config --prefix=/usr/local/openssl
Then directly compile and install
make
sudo make install #安装需要权限
SSL/TLS certificate preparation
Reference article link: https://www.emqx.com/zh/blog/emqx-server-ssl-tls-secure-connection-configuration-guide
First, we need a self-signed CA certificate. Generating this certificate requires a private key to sign it. You can execute the following command to generate a private key:
openssl genrsa -out ca.key 2048
This command will generate a key with a key length of 2048 and save it in ca.key
. With this key, you can use it to generate the root certificate of EMQX:
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem
View CA certificate information (optional):
openssl x509 -in ca.pem -noout -text
The root certificate is the starting point of the entire chain of trust. If the issuer of each level of a certificate is trusted up to the root certificate, then we can consider the certificate to be trusted. With this root certificate, we can use it to issue entity certificates to other entities.
The entity (referring to EMQX here) also needs its own private key pair to ensure its control over its own certificate. The process of generating this key is similar to the above:
openssl genrsa -out emqx.key 2048
new openssl.cnf
file,
- req_distinguished_name : Modify according to the situation,
- alt_names:
BROKER_ADDRESS
modify to the actual IP or DNS address of the EMQX server, for example: IP.1 = 127.0.0.1, or DNS.1 = broker.xxx.com
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = Zhejiang
localityName = Hangzhou
organizationName = EMQX
commonName = Server certificate
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = BROKER_ADDRESS
DNS.1 = BROKER_ADDRESS
Then issue a certificate request with this key and configuration:
openssl req -new -key ./emqx.key -config openssl.cnf -out emqx.csr
Then use the root certificate to issue the entity certificate of EMQX:
openssl x509 -req -in ./emqx.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out emqx.pem -days 3650 -sha256 -extensions v3_req -extfile openssl.cnf
Check the EMQX entity certificate (optional):
openssl x509 -in emqx.pem -noout -text
Verify the EMQX entity certificate to determine whether the certificate is correct:
$ openssl verify -CAfile ca.pem emqx.pem
emqx.pem: OK
After preparing the certificate, we can enable the TLS/SSL function of EMQX.
SSL/TLS enablement and verification
emqx.pem
Copy the and files generated by the OpenSSL tool above to the EMQX directory, and refer to the following configuration emqx.key
modification ca.pem
/etc/emqx/certs
emqx.conf
listeners.ssl.default {
bind = "0.0.0.0:8883"
max_connections = 512000
ssl_options {
keyfile = "/etc/emqx/certs/emqx.key"
certfile = "/etc/emqx/certs/emqx.pem"
cacertfile = "/etc/emqx/certs/ca.pem"
}
}
Then restart EMQX
sudo emqx stop
sudo emqx start
After the configuration is complete and EMQX is restarted, we use the MQTT client tool - MQTT X (this tool is cross-platform and supports MQTT 5.0 ) to verify whether the TLS service is running normally.
- Refer to the figure below to create it in MQTT X
MQTT 客户端
(the Host input box127.0.0.1
needs to be replaced with the actual EMQX server IP, that is, the virtual machine IP)
At this time, you need to select Self signed in the Certificate column, and carry the ca.pem file generated in the self-signed certificate.
Click Connect
the button, after the connection is successful, if the MQTT publish/subscribe operation can be performed normally, the SSL one-way authentication configuration of the self-signed certificate is successful.