/
How can I create a self-signed certificate with openssl for container applications? E.g. as needed for a TLS secured MQTT broker "mosquitto".

How can I create a self-signed certificate with openssl for container applications? E.g. as needed for a TLS secured MQTT broker "mosquitto".

2024-11-27
Q

How can I create a self-signed certificate with openssl for container applications? E.g. as needed for a TSL secured MQTT broker "mosquitto".

A

Create a temporary folder for holding the working and final files. Example:


mkdir -p certs && cd certs

Generate a new key needed for your own "trusted" CA used as private key and also generate public certificate of your CA derived from the private key. Example:

openssl req -x509 -nodes -sha256 -newkey rsa:2048 -subj "/C=DE/ST=MyState/L=MyCountry/O=MyCoperation/OU=MyOrg/CN=MyCA/emailAddress=ownca@email.com" -days 3650 -keyout ./ca.key -out ./ca.crt

Generate a "server" key that is used as public key and needs later to be signed by your CA. Example:


openssl genrsa -out server.key 2048

Create a configuration file. Example:


vi ./req.conf

with the following content. Example (Modify according to your requirements, e.g., replace 10.13.5.0 with the IP address of the device where you will run the Mosquitto container):


[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
C = DE
ST = MyState
L = MyCountry
O = MyCoperation
OU = MyOrg
CN = MyDomain
emailAddress = MyEmail@email.com
[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = myname
DNS.2 = myname.local
DNS.3 = myname.domain
DNS.3 = *.localhost
DNS.4 = localhost
DNS.5 = *.mosquitto
DNS.6 = mosquitto
IP.1 = 127.0.0.1
IP.2 = 10.13.5.0

Create a "server" certificate signing request. Example:


openssl req -new -key server.key -out server.csr -config ./req.conf

Cross sign the "server" certificate. Example:


openssl x509 -req -sha256 -in ./server.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out ./server.crt -days 3650 -extensions req_ext -extfile req.conf

Finally you get the following structure


├── certs

│ ├── ca.crt

│ ├── server.crt

│ └── server.key


Use case TLS secured mosquitto:
------------------------------

To configure a mosquitto container TLS secured you need setup a mosquitto.conf file. This file along with the certificates needs to be mapped to the container's folder /mosquitto/conf. The folder structure needs to be as follows


└── config

    ├── certs

    │   ├── ca.crt

    │   ├── server.crt

    │   └── server.key

    └── mosquitto.conf


Load an example mosquitto.conf file from here https://github.com/eclipse-mosquitto/mosquitto/blob/master/mosquitto.conf and modify the related information to turn mosquitto into a TLS secured version.

Change the following sections

  1. listener 8883
  2. allow_anonymous true
  3. cafile /mosquitto/config/certs/ca.crt
  4. certfile /mosquitto/config/certs/server.crt
  5. keyfile /mosquitto/config/certs/server.key

Then call the following to start the broker (modify the source folder to your settings)


docker run -it -d --restart always --name mosquitto -p 8883:8883 -v /home/admin/config:/mosquitto/config eclipse-mosquitto


To cross-check the mosquitto TLS function use the mqtt-explorer application . Set up the ip address of your test device and the secure port (8883).
Then click "ADVANCED" and "CERTIFICATES" und upload the "server.crt" to the "SERVER CERTIFICATE (CA)" .

See also...