mqtt启用ssl参考(2)

1.We first need to install OpenSSL in order to create our certificates and keys. Click here for GitHub or here for the exe.

2.Create CA key pair: Navigate to the Windows start and search OpenSSL. Hit enter on "OpenSSL Command Promt". Make sure you run the following commands as administrator.

openssl genrsa -des3 -out ca.key 2048

 genrsa: generates a RSA private key

des3: Using DES3 cipher for the key generation

out: specifies the output file name (.key)

2048: number of bits for the private key

Your output should look like this:

C:\Users\schue>openssl genrsa -des3 -out ca.key 2048
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

C:\Users\schue>

• Enter any password. But remember it, we will need it in a moment again.

• The pass phrase is used to protect the private key. The generated private file ca.key has both the private and public key.

3.Create CA certificate: Next we are creating a certificate for the CA, using the key pair created in the step before:

openssl req -new -x509 -days 1826 -key ca.key -out ca.crt

 req: certificate request and certification utility

new: generate new certificate, it will prompt user for several input fields

x509: create a self signed certificate

days: specify the number of days the certificate is valid

key: key file with private key to be used for signing

out: specifies the file name for the certificate (.crt)

You should get something like this:

C:\Users\schue>openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Munich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Uni
Organizational Unit Name (eg, section) []:Master
Common Name (e.g. server FQDN or YOUR name) []:schue
Email Address []:.

C:\Users\schue>

 As Common Name use your user name like "schue" in my case.

4.Create broker key pair: Next, we are creating a private key for the server with:

openssl genrsa -out server.pem 2048

 genrsa: generate a RSA private key

out: specifies the output file name (.pem)

2048: number of bits for the private key

5.Create certificate request from CA: That key needs to be certified, so we create a certificate request for it, and the certificate needs to be signed by the CA:

openssl req -new -out server.csr -key server.pem

 req: certificate request and certification utility

new: create new request file file

out: file name for the certificate signing request (.csr)

key: file name of the key to be certified

Your output should look like this:

C:\Users\schue>openssl req -new -out server.csr -key server.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Munich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UniMuni
Organizational Unit Name (eg, section) []:EL
Common Name (e.g. server FQDN or YOUR name) []:schue
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:0815
An optional company name []:IT

C:\Users\schue>

 6.Verify and sign the certificate request: The last step with OpenSSL is to sign the server request through the CA to get the broker certificate:

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cert.der -days 360

 x509: certificate display and signing utility

req: a certificate request is expected as input

in: input file for the certificate

CA: specifies the file to be signed

CAkey: CA private key to sign the certificate with

Cacreateserial: the serial number file gets created if it does not exist

out: output file name

days: how long the certificate shall be valid

7.Convert your .pem file to .der file:

openssl rsa -inform pem -in server.pem -outform der -out key.der

原文链接 https://dev.to/bassparanoya/esp32-micropython-mqtt-tls-28fd

下篇介绍上述过程改进及micropython端实现