0

I am not familiar with SSL/TLS, I am trying to setup my moquitto broker with SSL. For testing purpose, I am not using a real rootCA, I create my own rootCA. Here is how I think what SSL is, correct me if I was wrong, I am a noob.

rootCA could issue second layer ca, cert, keys, and client/server exchange these information, when it needs to verify the identity of the others, it will bring these information to the rootCA and ask if that is correct.

so, I follow the documentation of Mosquitto, use OpenSSL to generate rootCA.crt, server.crt, server.key. I've also generated client.crt and client.key, so that when my client application connect to Mosquitto broker, the broker could identify that connection. I added the ca file, key file, cert file configuration to my local.conf. Restart Mosquitto, it works. Then I use mosquitto_sub with ca.crt, client.crt and client.key to connect to broker, that works out too.

What I don't understand is that, why does the documentation teaches me how to generate server.csr and client.csr? I am guessing if I am not the rootCA, I need to send these csr to the real rootCA for those certificate to become legit, is that what csr is for?

Maxi Wu
  • 1,274
  • 3
  • 20
  • 38
  • 1
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww May 11 '17 at 14:06
  • 1
    Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww May 11 '17 at 14:40

1 Answers1

0

.csr is a certificate sign request to be signed with your CA.crt and CA.key you won't need to use it on your mosquitto broker only CA.crt and client.crt/key are required. If you want to test it out Download MQTT.fx client to check your MQTT connection with these certifications. http://mqttfx.jensd.de/ enter image description here

The openssl command would be for example:

x509 -req -in client.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out client.crt -days 365

MarcoPolo11
  • 81
  • 1
  • 1
  • 11