You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

This document describes how to configure Server and Client authentication when setting secure (SSL) connections between Chariot, MQTT Engine and MQTT Transmission.

Generating Certificates and Keys

As a first step, we need to generate certificates for Chariot, MQTT Engine and MQTT Transmission. Let’s create the following directory tree to work with:

├── ca/
│  ├── engine/
│  ├── server/
│  └── transmission/
└── certs/
    ├── engine/
    ├── server/
    └── transmission/

Here is a summary of what needs to be done here:

  • Generate CA certificate chain
    • Generate Root CA certificate signed with the Root CA
    • Generate Server CA certificate signed with the Root CA
    • Generate MQTT Engine Client CA certificate signed with the Root CA
    • Generate MQTT Transmission Client CA certificate signed with the Root CA
  • Generate Server certificate signed with Server CA private key

  • Generate MQTT Engine Client certificate signed with the Engine CA’s private key

  • Generate MQTT Transmission Client certificate signed with Transmission CA’s private key

Generating CA Certificates

The Root CA is the highest level of authority in the certificate hierarchy, and is responsible for issuing CA certificates to lower-level CAs, such as the Server CA and Client CAs. When the Root CA issues a CA certificate to a lower-level CA, it signs the certificate with its private key, which allows clients to verify the authenticity of the CA certificate using the Root CA's public key.

The Server CA and Client CA, in turn, use their own private keys to sign SSL certificates for servers and clients, respectively. These SSL certificates can then be verified by clients using the CA certificate issued by the Root CA.

So, in summary, the Root CA should sign the CA certificates for both the Server CA and Client CA, while the Server CA and Client CA themselves are responsible for signing SSL certificates for servers and clients, respectively.

Generate CA Certificate Chain

Generate Root CA certificate signed with the Root CA

  1. Generate a private key file (ca.key) for the Root CA using the command below. You will be required to enter a pass phrase to be associated with the ca.key file

    openssl genrsa -des3 -out ca/ca.key 2048

  2. Generate a self-signed certificate (ca.crt) for the Root CA using the command below. This command generates a new self-signed X.509 certificate named "ca.crt" valid for 3650 days (10 years) using the RSA private key "ca.key". A "ca.srl" file will also be created containing the signed certificate's unique serial number. You will be required to enter the pass phrase associated with the private key file "ca.key". 

    openssl req -new -x509 -key ca/ca.key -days 3650 -out ca/ca.crt

    There are a number of fields associated with the creation of the certificate. The required fields are:

    Country Name (2 letter code) []:

    State or Province Name (full name) []:

    Locality Name (eg, city) []:

    Organization Name (eg, company) []:

    Organizational Unit Name (eg, section) []: We set this to CA

    Common Name (eg, fully qualified host name) [] We set this to the FQDN of the Chariot server

    Email Address []:

Generate Server CA certificate signed with the Root CA

  1. Generate a private key file (serverCA.key) for the Server CA using the command below. You will be required to enter a pass phrase to be associated with the serverCA.key file.

    openssl genrsa -des3 -out ca/server/serverCA.key 2048

  2. Generate a Certificate Signing Request (CSR) for the server CA using the command below. This command generates a new CSR named "serverCA.csr’ using the RSA private key "serverCA.key" and you will be required to enter the pass phrase created in the previous step.

    openssl req -new -key ca/server/serverCA.key -out ca/server/serverCA.csr

    There are a number of fields associated with the creation of the certificate. The required fields are:

    Country Name (2 letter code) []:

    State or Province Name (full name) []:

    Locality Name (eg, city) []:

    Organization Name (eg, company) []:

    Organizational Unit Name (eg, section) []: We set this as Server CA

    Common Name (eg, fully qualified host name) []: We set this as the FQDN of the Chariot server

    Email Address []:


    Extra attributes to be sent with the certificate request are:

    A challenge password []:

  3. Sign the Server CA with the Root CA using the command below. This command will sign the CSR "serverCA.csr" with the Root CA certificate ‘ca.crt’ and RSA private key ‘ca.key’, creating a new X.509 certificate named ‘serverCA.crt’ valid for 3650 days (10 years). A "serverCA.srl" file will also be created containing the signed certificate's unique serial number. You will be required to enter the pass phrase associated with the private key file "ca.key". 

    openssl x509 -req -in ca/server/serverCA.csr -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -out ca/server/serverCA.crt -days 3650

Generate MQTT Engine Client CA certificate signed with the Root CA

  1. Generate a private key file (engineCA.key) for MQTT Engine CA using the command below. You will be required to enter a pass phrase to be associated with the engineCA.key file. 

    openssl genrsa -des3 -out ca/engine/engineCA.key 2048

  2. Generate a Certificate Signing Request (CSR) for the MQTT Engine CA using the command below. This command generates a new CSR named "engineCA.csr’ using the RSA private key "engineCA.key" and you will be required to enter the pass phrase created in the previous step.

    openssl req -new -key ca/engine/engineCA.key -out ca/engine/engineCA.csr

    There are a number of fields associated with the creation of the certificate. The required fields are:

    Country Name (2 letter code) []:

    State or Province Name (full name) []:

    Locality Name (eg, city) []:

    Organization Name (eg, company) []:

    Organizational Unit Name (eg, section) []: We set this as MQTT Engine CA

    Common Name (eg, fully qualified host name) []: We set this as the FQDN of the Chariot server

    Email Address []:


    Extra attributes to be sent with the certificate request are:

    A challenge password []:

  3. Sign the MQTT Engine CA with the Root CA using the command below. This command will sign the CSR "engineCA.csr" with the Root CA certificate ‘ca.crt’ and RSA private key ‘ca.key’, creating a new X.509 certificate named ‘engineCA.crt’ valid for 3650 days (10 years). An "engineCA.srl" file will also be created containing the signed certificate's unique serial number. You will be required to enter the pass phrase associated with the private key file "ca.key".

    openssl x509 -req -in ca/engine/engineCA.csr -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -out ca/engine/engineCA.crt -days 3650





You should now see the following files created:

├── ca/

│   ├── ca.crt

│   ├── ca.key

│   ├── ca.srl

│   ├── server/

│   │   ├── serverCA.crt

│   │   ├── serverCA.csr

│   │   ├── serverCA.key

│   │   └── serverCA.srl


   






























You should now have the following files:

├── ca/

│   ├── ca.crt

│   ├── ca.key

│   ├── ca.srl

│   ├── engine/

│   │   ├── engineCA.crt

│   │   ├── engineCA.csr

│   │   ├── engineCA.key

│   │   └── engineCA.srl

│   ├── server/

│   │   ├── serverCA.crt

│   │   ├── serverCA.csr

│   │   ├── serverCA.key

│   │   └── serverCA.srl

│   └── transmission/

│       ├── transmissionCA.crt

│       ├── transmissionCA.csr

│       ├── transmissionCA.key

│       └── transmissionCA.srl

└── certs/

    ├── engine/

    │   ├── engine.crt

    │   ├── engine.csr

    │   └── engine.key

    ├── server/

    │   ├── server.crt

    │   ├── server.csr

    │   └── server.key

    └── transmission/

        ├── transmission.crt

        ├── transmission.csr

        └── transmission.key


  • No labels

New to MQTT? Start Here!