[MQTT]服务器EMQX搭建SSL/TLS连接过程（wss://)

1

openssl version

1

openssl genrsa -out my_root_ca.key 2048

1

openssl req -x509 -new -nodes -key my_root_ca.key -sha256 -days 3650 -out my_root_ca.pem

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: CN # 国家/地区
State or Province Name (full name) [Some-State]:Zhejiang # 省/市
Locality Name (eg, city) []:Hangzhou # 城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EMQX # 组织机构（或公司名），如 EMQ
Organizational Unit Name (eg, section) []:EMQX # 机构部门，如 EMQX
Common Name (e.g. server FQDN or YOUR name) []:none # 通用名称，此处应当设置为服务器域名如 mqtt.emqx.com
...

1

openssl genrsa -out emqx.key 2048

1

vi openssl.cnf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = Zhejiang
localityName = Hangzhou
organizationName = EMQX
commonName = Server certificate
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = BROKER_ADDRESS
DNS.1 = BROKER_ADDRESS

1

openssl req -new -key ./emqx.key -config openssl.cnf -out emqx.csr

1

openssl x509 -req -in ./emqx.csr -CA my_root_ca.pem -CAkey my_root_ca.key -CAcreateserial -out emqx.pem -days 3650 -sha256 -extensions v3_req -extfile openssl.cnf

1

openssl genrsa -out client.key 2048

1

openssl req -new -key ./client.key -config openssl.cnf -out client.csr

1

openssl x509 -req -in ./client.csr -CA my_root_ca.pem -CAkey my_root_ca.key -CAcreateserial -out client.pem -days 3650 -sha256 -extensions v3_req -extfile openssl.cnf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

## listener.ssl.$name is the IP address and port that the MQTT/SSL
## Value: IP:Port | Port
listener.ssl.external = 8084

## Path to the file containing the user's private PEM-encoded key.
## Value: File
listener.ssl.external.keyfile = etc/certs/emqx.key

## Path to a file containing the user certificate.
## Value: File
listener.ssl.external.certfile = etc/certs/emqx.pem

## Path to the file containing PEM-encoded CA certificates. The CA certificates
## Value: File
listener.ssl.external.cacertfile = etc/certs/my_root_ca.pem

1

emqx restart