mosquitto ssl/tls配置

在linux中，mosquitto默认启动是使用1883端口，并且不加密。那么如何使用8883端口，并进行加密认证呢？

1. 生成证书文件（使用 OpenSSL）

a. 创建 CA 证书（自签名）

# 生成 CA 私钥
openssl genrsa -out ca.key 2048

# 生成 CA 自签名证书（有效期 10 年）
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

## 详细过程：
alex@mini-host:~/Downloads/mosq$ openssl genrsa -out ca.key 2048
alex@mini-host:~/Downloads/mosq$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:0.0.0.0
Email Address []:test@163.com

b. 生成服务器证书

# 生成服务器私钥
openssl genrsa -out server.key 2048

# 创建证书签名请求 (CSR)
openssl req -new -out server.csr -key server.key

# 用 CA 签发服务器证书（有效期 10 年）
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650


## 详细过程：
alex@mini-host:~/Downloads/mosq$ openssl genrsa -out server.key 2048
alex@mini-host:~/Downloads/mosq$ openssl req -new -out server.csr -key server.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:192.168.31.10
Email Address []:server@qq.com                                  

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:test

alex@mini-host:~/Downloads/mosq$ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650
Certificate request self-signature ok
subject=C = CN, ST = BJ, L = BJ, O = test, OU = test, CN = 192.168.31.10, emailAddress = server@qq.com

c. 生成客户端证书（可选，用于双向认证）

# 生成客户端私钥
openssl genrsa -out client.key 2048

# 创建客户端 CSR
openssl req -new -out client.csr -key client.key

# 用 CA 签发客户端证书
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650


## 详细过程：
alex@mini-host:~/Downloads/mosq$ openssl genrsa -out client.key 2048
alex@mini-host:~/Downloads/mosq$ openssl req -new -out client.csr -key client.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:192.168.31.10
Email Address []:client@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:test

alex@mini-host:~/Downloads/mosq$ openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650
Certificate request self-signature ok
subject=C = CN, ST = BJ, L = BJ, O = test, OU = test, CN = 192.168.31.10, emailAddress = client@qq.com

2. 配置 Mosquitto

a. 创建证书目录

sudo mkdir /etc/mosquitto/certs
sudo cp ca.crt server.crt server.key /etc/mosquitto/certs/
sudo chown mosquitto:mosquitto /etc/mosquitto/certs/*

b. 修改配置文件 /etc/mosquitto/mosquitto.conf

# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example

pid_file /run/mosquitto/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

listener 8883 0.0.0.0
allow_anonymous true

log_dest file /var/log/mosquitto/mosquitto.log
log_type all

include_dir /etc/mosquitto/conf.d


# 证书路径
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key

# 安全选项
#tls_version tlsv1.2  # 指定 TLS 版本
require_certificate false  # true=强制客户端提供证书（双向认证）
#use_identity_as_username false  # true=用客户端证书 CN 作为用户名

3. 重启 Mosquitto 服务

sudo systemctl restart mosquitto

4. 客户端连接示例
   a. 单向认证（客户端验证服务器）

mosquitto_sub -h your.server.com -p 8883 -t "test" \
  --cafile /path/to/ca.crt

b. 双向认证（客户端也提供证书）

mosquitto_sub -h your.server.com -p 8883 -t "test" \
  --cafile /path/to/ca.crt \
  --cert /path/to/client.crt \
  --key /path/to/client.key

其他

如何获取ca.pem格式文件，以及client.key和client.pem格式文件？

• 由于ca.crt已经是PEM格式，所以只需要将其复制为ca.pem即可。
• 之前生成的client.key就是PEM格式的私钥，可以直接使用。
• 由于client.crt已经是PEM格式，所以只需要将其复制为client.pem即可。