Versions Compared

Old Version 1

changes.mady.by.user Gill Houghton

Saved on

compared with

New Version 2

changes.mady.by.user Gill Houghton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As a first step, we need to generate certificates for Chariot, MQTT Engine and MQTT Transmission. Let’s create the following directory tree to work with:

├── ca/
│  ├── engine
│   │  ├── server
│   │  └── transmission
└── certs/
    ├── engine
    ├── server
    └── transmission

...

  • Generate CA certificate chain
    • Generate Root CA certificate signed with the Root CA
    • Generate Server (i.e. Chariot) CA certificate signed with the Root CA
    • Generate Client (i.e. MQTT Engine and Transmission) CA certificate signed with the Root CA
  • Generate Server (i.e. Chariot) certificate signed with Server CA private key

  • Generate Client (i.e. MQTT Engine) certificate signed with the Engine CA’s private key


  • Generate Client (i.e. MQTT Transmission) certificate signed with Transmission CA’s private key

...

So, in summary, the Root CA should sign the CA certificates for both the Server CA and Client CA, while the Server CA and Client CA themselves are responsible for signing SSL certificates for servers and clients, respectively.

Generate CA Certificate Chain

Generate Root CA certificate signed with the Root CA

  1. Generate a private key file (ca.key) for the Root CA using the command below

    :

    . You will be required to enter a pass phrase to be associated with the ca.key file

    Code Block
    languagetext
    openssl genrsa -des3 -out ca/ca.key 2048


  2. Generate a self-signed certificate (ca.crt) for the Root CA using the command below. This command generates a new self-signed X.509 certificate named "ca.crt" valid for 3650 days (10 years) using the RSA private key "ca.key" and you will be required to enter teh pass phrase created earlier. 

    Code Block
    languagetext
    openssl req -new -x509 -key ca/ca.key -days 3650 -out ca/ca.crt


    Note

    There are a number of fields associated with the creation of the certificate. The required fields are:

    Country Name (2 letter code) []:

    State or Province Name (full name) []:

    Locality Name (eg, city) []:

    Organization Name (eg, company) []:

    Organizational Unit Name (eg, section) []: We set this to CA

    Common Name (eg, fully qualified host name) [] We set this to the FQDN of the Chariot server

    Email Address []:


Generate Server CA certificate signed with the Root CA