Some text here.

1. How to query a key

   opesssl x509 -text -in xxx.crt

2. Make the CA key and self-signed cert.

   openssl req -x509 -nodes \ -newkey RSA:2048 \ -keyout mqtt_ca.key \ -days 3650 \ -out mqtt_ca.crt \ -subj '/C=US/ST=CA/L=SF/O=S/CN=hostname'

3. Make the client or server key and signing request.

   openssl req -nodes \ -newkey rsa:2048 \ -keyout hostname.key \ -out hostname.csr \ -subj '/C=US/ST=CA/L=SF/O=S/CN=hostname'

4. Sign the request with the CA key, producing a signed cert.

   Note

   The -extfile stuff was for local DNS; not necessary for MQTT.

   openssl x509 -req \ -CA ../mqtt_ca.crt \ -CAkey mqtt_ca.key \ -in hostname.csr \ -out hostname.crt \ -days 365 \ -CAcreateserial \ -extfile <(printf "subjectAltName = DNS.0:hostname2\nauthorityKeyIdentifier = keyid,issuer\nbasicConstraints = CA:FALSE\nkeyUsage = digitalSignature, keyEncipherment\nextendedKeyUsage=serverAuth")

5. Install certificates in default MQTT locations

   Copy the certificates to the standard places and standard file names. sudo cp ../broker/mqtt_broker.crt /etc/mosquitto/ca_certificates/mqtt_ca.pem sudo cp hostname.crt /etc/mosquitto/certs/client_cert.pem sudo cp hostname.key /etc/mosquitto/certs/client_key.pem