-
bash脚本,生成自签名ca、服务端、客户端的key和证书
-
#/bin/sh rm -f ca.* rm -f emqx.* rm -f client.* # 生成自签名的CA key和证书 openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem -subj "/C=CN/ST=Jiangsu/L=Suzhou/O=XXX/CN=SelfCA" #openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem # 生成服务器端的key和证书 openssl genrsa -out emqx.key 2048 openssl req -new -key ./emqx.key -config openssl.cnf -out emqx.csr openssl x509 -req -in ./emqx.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out emqx.pem -days 3650 -sha256 -extensions v3_req -extfile openssl.cnf # 生成客户端key和证书 openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=Jiangsu/L=Suzhou/O=XXX/CN=client" openssl x509 -req -days 3650 -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pemopenssl.cnf配置文件
-
[req] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_req prompt = no [req_distinguished_name] countryName = CN stateOrProvinceName = Jiangsu localityName = Suzhou organizationName = XXX commonName = Emqx [req_ext] subjectAltName = @alt_names [v3_req] subjectAltName = @alt_names [alt_names] IP.1 = 192.168.60.135 IP.2 = 127.0.0.1 #DNS.1 = BROKER_ADDRESS验证证书是否有效
-
openssl verify -CAfile ca.pem emqx.pem openssl verify -CAfile ca.pem client.pem将证书文件拷贝到emqx\etc\certs目录下(默认目录),并修改配置文件emqx.conf。SSL/TLS 双向连接的启用及验证
-
## NOTE: ## This config file overrides data/configs/cluster.hocon, ## and is merged with environment variables which start with 'EMQX_' prefix. ## ## Config changes made from EMQX dashboard UI, management HTTP API, or CLI ## are stored in data/configs/cluster.hocon. ## To avoid confusion, please do not store the same configs in both files. ## ## See https://www.emqx.io/docs/en/v5.0/configuration/configuration.html for more details. ## Configuration full example can be found in etc/examples node { name = "emqx@127.0.0.1" cookie = "emqxsecretcookie" data_dir = "data" } cluster { name = emqxcl discovery_strategy = manual } dashboard { listeners.http { bind = 18083 } } listeners.ssl.default { bind = "0.0.0.0:8883" ssl_options { cacertfile = "/opt/emqx/etc/certs/ca.pem" certfile = "/opt/emqx/etc/certs/server.pem" keyfile = "/opt/emqx/etc/certs/server.key" # 私钥文件受密码保护时需要输入密码 #password = "123456" # 单向认证,不验证客户端证书 #verify = verify_none verify = verify_peer fail_if_no_peer_cert = true } }mqttx连接验证
-
出现连接成功,代表测试无问题文章来源:https://www.toymoban.com/news/detail-838537.html
文章来源地址https://www.toymoban.com/news/detail-838537.html
到了这里,关于emqx 配置ssl/tls 双向认证(亲自测试有效)的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
