-
-
Save suru-dissanaike/fbb01a23cf9a138973732e76999c0d48 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
IP="192.168.1.22" | |
SUBJECT_CA="/C=SE/ST=Stockholm/L=Stockholm/O=himinds/OU=CA/CN=$IP" | |
SUBJECT_SERVER="/C=SE/ST=Stockholm/L=Stockholm/O=himinds/OU=Server/CN=$IP" | |
SUBJECT_CLIENT="/C=SE/ST=Stockholm/L=Stockholm/O=himinds/OU=Client/CN=$IP" | |
function generate_CA () { | |
echo "$SUBJECT_CA" | |
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -subj "$SUBJECT_CA" -days 365 -keyout ca.key -out ca.crt | |
} | |
function generate_server () { | |
echo "$SUBJECT_SERVER" | |
openssl req -nodes -sha256 -new -subj "$SUBJECT_SERVER" -keyout server.key -out server.csr | |
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 | |
} | |
function generate_client () { | |
echo "$SUBJECT_CLIENT" | |
openssl req -new -nodes -sha256 -subj "$SUBJECT_CLIENT" -out client.csr -keyout client.key | |
openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 | |
} | |
generate_CA | |
generate_server | |
generate_client |
Sorry, it has been a very quick question and I haven't had the time to express myself. The question is: I have been asked to rise a MQTT broker with certificate authentication following the PKI infrastructure and I have found this gist to create keys for the MQTT broker. Do these keys follow that infrastructure?
@gilillo32
Thanks for the clarification. The example creates self-signed certificates. I think you are looking for a solution with CA-signed certificates.
I have something similar here (maybe you can use some of it): https://medium.com/himinds/mqtt-broker-with-secure-websocket-using-traefik-docker-compose-and-lets-encrypt-2b8e32207555
Kind regards,
Suru
Hi,
I took your script and adopted it to a batch script for use in Windows Powershell/Terminal. It worked very well, thank you for that!
I'm trying to use this for my Mosquitto installation and this works well, too. But I would like to have one or two FQDN alongside the IP address, so that it will be easier to adapt to changing IPs. Do you have some pointers for me?
@gilillo32
Sorry, I am unsure how to answer your question; please elaborate a bit more on your question.