-
-
Save suru-dissanaike/fbb01a23cf9a138973732e76999c0d48 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
IP="192.168.1.22" | |
SUBJECT_CA="/C=SE/ST=Stockholm/L=Stockholm/O=himinds/OU=CA/CN=$IP" | |
SUBJECT_SERVER="/C=SE/ST=Stockholm/L=Stockholm/O=himinds/OU=Server/CN=$IP" | |
SUBJECT_CLIENT="/C=SE/ST=Stockholm/L=Stockholm/O=himinds/OU=Client/CN=$IP" | |
function generate_CA () { | |
echo "$SUBJECT_CA" | |
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -subj "$SUBJECT_CA" -days 365 -keyout ca.key -out ca.crt | |
} | |
function generate_server () { | |
echo "$SUBJECT_SERVER" | |
openssl req -nodes -sha256 -new -subj "$SUBJECT_SERVER" -keyout server.key -out server.csr | |
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 | |
} | |
function generate_client () { | |
echo "$SUBJECT_CLIENT" | |
openssl req -new -nodes -sha256 -subj "$SUBJECT_CLIENT" -out client.csr -keyout client.key | |
openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 | |
} | |
generate_CA | |
generate_server | |
generate_client |
@MonkiyPython
Thank you for your feedback; can you please add your reference for this feedback?
Please note that this is for self-signed certificates, we are using an IP as the CN.
Does these keys follow PKI infrastructure?
@gilillo32
Sorry, I am unsure how to answer your question; please elaborate a bit more on your question.
Sorry, it has been a very quick question and I haven't had the time to express myself. The question is: I have been asked to rise a MQTT broker with certificate authentication following the PKI infrastructure and I have found this gist to create keys for the MQTT broker. Do these keys follow that infrastructure?
@gilillo32
Thanks for the clarification. The example creates self-signed certificates. I think you are looking for a solution with CA-signed certificates.
I have something similar here (maybe you can use some of it): https://medium.com/himinds/mqtt-broker-with-secure-websocket-using-traefik-docker-compose-and-lets-encrypt-2b8e32207555
Kind regards,
Suru
Hi,
I took your script and adopted it to a batch script for use in Windows Powershell/Terminal. It worked very well, thank you for that!
I'm trying to use this for my Mosquitto installation and this works well, too. But I would like to have one or two FQDN alongside the IP address, so that it will be easier to adapt to changing IPs. Do you have some pointers for me?
CA CN Should be different from Server and Client otherwise TLS Error will be Generated.