unknown

Mosquitto TLS

	
Config:
./usr/lib/ssl/openssl.cnf
	
Checking certificates
openssl s_client -connect 192.168.143.10:8883 -state -debug
	

	
The Root CA
---------------------------------------------------------------------
Creates PED Password (1), don't put the IP in the Common Name
openssl req -new -x509 -extensions v3_ca -keyout ca.key -out ca.crt


The Server keys and certs
---------------------------------------------------------------------
Creates PED Password (2)
openssl genrsa -des3 -out server.key 2048

No notes on this one
openssl genrsa -out server.key 2048

put the IP in the Common Name on this one, also put a period on the next two fields: A challenge password []:, An optional company name []:
openssl req -out server.csr -key server.key -new

Uses PED Password (1)
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt


The Client keys and certs
---------------------------------------------------------------------
Creates PED Password (3)
openssl genrsa -des3 -out client.key 2048
openssl genrsa -out client.key 2048

uses PED Password (3), The Common Name on this one can be anything, also put a period on the next two fields: A challenge password []:, An optional company name []:
openssl req -out client.csr -key client.key -new

Uses PED Password (1)
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt

The Verify the certs

---------------------------------------------------------------------
Check the server certificate, should return OK,  if it doesn't then mot likly the Common Name field needs work
openssl verify -CAfile ca.crt server.crt


Misc
---------------------------------------------------------------------
display cert
openssl x509 -in client.crt -text -noout

extract pub key
sudo openssl x509 -pubkey -noout -in client.crt

openssl pkeyutl -encrypt -inkey rootpub.key -pubin -in WabashConnonball.txt -out WabashCannonball.enc

openssl smime -encrypt -binary -aes-256-cbc -in WabashConnonball.txt -out WabashCannonball.enc -outform DER root.crt

openssl smime -decrypt -binary -in WabashCannonball.enc -inform DER -out WabashCannonballOut.txt -inkey root.key


openssl smime -encrypt -binary -aes-256-cbc -in WabashCannonball.txt -out WabashCannonball.enc2 -outform PEM ca.crt
openssl smime -decrypt -binary -in WabashCannonball.enc2 -inform PEM -out WabashCannonballOut3.txt -inkey ca.key

openssl dgst -sign ca.key -keyform PEM -sha256 -out WabashCannonball.sign -binary WabashCannonball.txt
openssl enc -base64 -in WabashCannonball.sign -out WabashCannonball2.sign
openssl enc -base64 -d -in WabashCannonball2.sign -out WabashCannonball3.sign
openssl dgst -sha256 -verify capub.key -signature WabashCannonball.sign WabashCannonball.txt

openssl smime -encrypt -binary -aes-256-cbc -in WabashCannonball.txt -out WabashCannonball.enc2 -outform PEM ca.crt
openssl smime -decrypt -binary -in WabashCannonball.enc2 -inform PEM -out WabashCannonballOut3.txt -inkey ca.key

Old

export OPENSSL_CONF=/opt/exampleca/openssl.cnf
openssl genrsa -des3 -out private.pem 2048
openssl genrsa -des3 -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
openssl dgst -sha256 -sign private.pem -out sign.sha256 wabashcannonball.txt 
openssl base64 -in sign.sha256 -out sign.sha256.txt
openssl base64 -d -in sign.sha256.txt -out sign.sha256
openssl dgst -sha256 -verify public.pem -signature sign.sha256 wabashcannonball.txt

// This is the line to create the cacert
openssl req -x509 -newkey rsa -out cacert.pem -outform PEM

// This is the line to create the private key
openssl x509 -in cacert.pem -text -noout

openssl req -newkey rsa:2048 -sha1 -keyout rootkey.pem -out rootreq.pem
openssl x509 -req -in rootreq.pem -sha1 -extfile /opt/exampleca/openssl.cnf -signkey rootkey.pem -out rootcert.pem
cat rootcert.pem rootkey.pem > root.pem

openssl req -newkey rsa:2048 -sha1 -keyout serverCAkey.pem -out serverCAreq.pem 

openssl x509 -req -in serverCAreq.pem -sha1 -extfile /opt/exampleca/openssl.cnf -extensions v3_ca -CA root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem 
openssl x509 -req -in serverCAreq.pem -sha1 -extfile /opt/exampleca/openssl.cnf -CA root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem 

openssl x509 -req -in serverCAreq.pem -sha1 -extfile /opt/exampleca/openssl.cnf -CA /opt/exampleca/cacert.pem -CAkey /opt/exampleca/private/cakey.pem -CAcreateserial -out serverCAcert.pem 


cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem
openssl req -newkey rsa:2048 -sha1 -keyout serverkey.pem -out serverreq.pem

openssl x509 -req -in serverreq.pem -sha1 -extfile /opt/exampleca/openssl.cnf -extensions usr_cert -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem 
openssl x509 -req -in serverreq.pem -sha1 -extfile /opt/exampleca/openssl.cnf -extensions usr_cert -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem 
openssl x509 -req -in serverreq.pem -sha1 -extfile /opt/exampleca/openssl.cnf -CA serverCAcert.pem -CAkey serverCAkey.pem -CAcreateserial -out servercert.pem 
openssl x509 -req -in serverreq.pem -sha1 -extfile /opt/exampleca/openssl.cnf -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem

cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem

openssl req -newkey rsa:2048 -sha1 -keyout clientkey.pem -out clientreq.pem
openssl x509 -req -in clientreq.pem -sha1 -extfile /opt/exampleca/openssl.cnf -CA root.pem -CAkey root.pem -CAcreateserial -out clientcert.pem
cat clientcert.pem clientkey.pem rootcert.pem  > client.pem










Copyright 2024 by James Wright. All Rights Reserved.