Chapter 31.  Set up an encrypted MQTT system on a LAN
Prev  Part VI.  MQTT Network with self-signed certs  Next

Chapter 31.  Set up an encrypted MQTT system on a LAN

Some text here.

Note

from stackoverflow

  1. How to query a key

    opesssl x509 -text -in xxx.crt

  2. Make the CA key and self-signed cert.

    openssl req -x509 -nodes \ -newkey RSA:2048 \ -keyout mqtt_ca.key \ -days 3650 \ -out mqtt_ca.crt \ -subj '/C=US/ST=CA/L=SF/O=S/CN=hostname'

  3. Make the client or server key and signing request.

    openssl req -nodes \ -newkey rsa:2048 \ -keyout hostname.key \ -out hostname.csr \ -subj '/C=US/ST=CA/L=SF/O=S/CN=hostname'

  4. Sign the request with the CA key, producing a signed cert.

    Note

    The -extfile stuff was for local DNS; not necessary for MQTT.

    openssl x509 -req \ -CA ../mqtt_ca.crt \ -CAkey mqtt_ca.key \ -in hostname.csr \ -out hostname.crt \ -days 365 \ -CAcreateserial \ -extfile <(printf "subjectAltName = DNS.0:hostname2\nauthorityKeyIdentifier = keyid,issuer\nbasicConstraints = CA:FALSE\nkeyUsage = digitalSignature, keyEncipherment\nextendedKeyUsage=serverAuth")