How can I create a self-signed certificate with openssl for container applications? E.g. as needed for a TSL secured MQTT broker "mosquitto".

Q

A

Create a temporary folder for holding the working and final files. Example:

mkdir -p /certs && cd /certs

Generate a new key needed for your own "trusted" CA used as private key and also generate public certificate of your CA derived from the private key. Example:

openssl req -x509 -nodes -sha256 -newkey rsa:2048 -subj "/C=DE/ST=MyState/L=MyCountry/O=MyCoperation/OU=MyOrg/CN=MyCA/emailAddress=ownca@email.com" -days 3650 -keyout ./ca.key -out ./ca.crt

Generate a "server" key that is used as public key and needs later to be signed by your CA. Example:

openssl genrsa -out server.key 2048

Create a configuration file. Example:

vi ./req.conf

with the following content. Example (Edit to your demands):

[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
C = DE
ST = MyState
L = MyCountry
O = MyCoperation
OU = MyOrg
CN = MyDomain
emailAddress = MyEmail@email.com
[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = myname
DNS.2 = myname.local
DNS.3 = myname.domain
DNS.3 = *.localhost
DNS.4 = localhost
DNS.5 = *.mosquitto
DNS.6 = mosquitto

IP.1 = 127.0.0.1
IP.2 = 10.13.5.0

Create a "server" certificate signing request. Example:

openssl req -new -key server.key -out server.csr -config ./req.conf

Cross sign the "server" certificate. Example:

openssl x509 -req -sha256 -in ./server.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out ./server.crt -days 3650 -extensions req_ext -extfile req.conf

For mosquitto container application map the 3 following files into the container folder "/mosquitto/config/certs/"

├── certs

│ ├── ca.crt

│ ├── server.crt

│ └── server.key

See also...