mac或linux下:
openssl s_client -connect baidu.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > gf.crt
openssl x509 -in cacert.pem
openssl x509 -noout -text -in cert.pem
给emq生成证书:
1. 生成自签名的CA key和证书(简单起见客户端和服务端共用一个CA证书)
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -subj "/CN=www.emqx.io" -out ca.pem
2. 生成服务器端的key和证书
openssl genrsa -out server.key 2048
openssl req -new -key ./server.key -out server.csr -subj "/CN=127.0.0.1"
openssl x509 -req -in ./server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 3650 -sha256
3. 生成客户端key和证书
openssl genrsa -out client.key 2048
openssl req -new -key ./client.key -out client.csr -subj "/CN=127.0.0.1"
openssl x509 -req -in ./client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem -days 3650 -sha256
4. 将服务器端证书server.key, server.pem以及ca证书ca.pem放入/etc/emqttd/certs目录下,注意修改权限位emqttd可读,或者直接chown修改所属用户
5. 修改emq.conf配置文件
## SSL Options
listener.ssl.external.handshake_timeout = 15
listener.ssl.external.keyfile = /etc/certs/server.key
listener.ssl.external.certfile = /etc/certs/server.pem
## 开启双向认证
listener.ssl.external.cacertfile = /etc/certs/ca.pem
listener.ssl.external.verify = verify_peer
#listener.ssl.external.fail_if_no_peer_cert = true
6. 启动emqttd
7. 使用mosquitto client订阅和发布消息的命令如下:
##发送消息(如果不需要验证服务器可加上--insecure选项):
mosquitto_pub -t abc -p 1883 -d --cafile 路径/ca.pem --cert 路径/client.pem --key 路径/client.key -h 127.0.0.1 -m hello
##订阅消息命令(如果不需要验证服务器可加上--insecure选项):
mosquitto_sub -t abc -p 1883 -d --cafile 路径/ca.pem --cert 路径/client.pem --key 路径/client.key -h 127.0.0.1
==================
评论已关闭!