TLS证书生成及测试
环境准备
openssl
根证书
1、先生成自签名的CA证书要用的私钥
openssl genrsa -out ca.key 2048
2、生产CA证书
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem
3、查看证书
openssl x509 -in ca.pem -noout -text
服务端证书
1、新建一个配置文件openssl.cnf
- req_distinguished_name :根据情况进行修改,
- alt_names:
BROKER_ADDRESS修改为 EMQX 服务器实际的 IP 或 DNS 地址,例如:IP.1 = 127.0.0.1,或 DNS.1 = broker.xxx.com
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = Zhejiang
localityName = Hangzhou
organizationName = EMQX
commonName = Server certificate
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = BROKER_ADDRESS
DNS.1 = BROKER_ADDRESS
2、生成一个服务端私钥
openssl genrsa -out server.key 2048
3、生成一个服务端证书请求
openssl req -new -key ./emqx.key -config openssl.cnf -out server.csr
4、使用根证书来生成服务端证书
openssl x509 -req -in ./server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 3650 -sha256 -extensions v3_req -extfile openssl.cnf
验证证书
openssl verify -CAfile ca.pem server.pem
server.pem: OK
客户端证书
先生成一个私钥
openssl genrsa -out client.key 2048
生成客户端证书请求
openssl req -new -key ./emqx.key -config openssl.cnf -out client.csr
使用根证书来生成服务端证书
openssl x509 -req -in ./client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem -days 3650 -sha256 -extensions v3_req
文件转换
pem转crt
openssl x509 -in client.pem -out client.crt -outform der
文件验证
openssl x509 -noout -text -in example.crt
TB里面配置
1、将生成的证书文件放在conf中
2、更改配置
#mqtt-ssl
MQTT_SSL_ENABLED=true
MQTT_SSL_CREDENTIALS_TYPE=PEM
MQTT_SSL_PEM_CERT=/config/thingsboard-server.pem
MQTT_SSL_PEM_KEY=/config/thingsboard-server.key
MQTT_SSL_PEM_KEY_PASSWORD=
