Versions Compared

Version Old Version 2 New Version 3
Changes made by

Daria Samkova

Daria Samkova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Prepare an OpenSSL configuration file req.cnf:

    Code Block
    languagepy
    [req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = DE
ST = Bayern
L = Landshut
O = HiveMQ GmbH
CN = client1

[v3_req]
subjectAltName = dirName:dir_sect

[dir_sect]
C = DE
O = HiveMQ GmbH
OU = HiveMQ Support
CN = client1

  2. Generate the client certificate using the OpenSSL configuration file req.cnf:

    Code Block
    languagebash
    #!/usr/bin/env bash

#Create a new Certificate Signing Request (CSR) and a new Key file
openssl req \
  -new \
  -out 'client1.csr' \
  -newkey rsa:2048 \
  -nodes \
  -sha256 \
  -keyout 'client1-key.temp' \
  -config 'req.cnf'

#verify the CSR
openssl req -text -noout -verify -in 'client1.csr'

#write RSA key
openssl rsa -in 'client1-key.temp' -out 'client1-key.pem'

#generate client certificate using the CSR and the OpenSSL configuration file
openssl x509 -req -in 'client1.csr' \
  -signkey 'client1-key.pem' \
  -out 'client1-cert.pem' \
  -days 365 \
  -extensions 'v3_req' \
  -extfile 'req.cnf'

#convert the client certificate from PEM to CRT
openssl x509 -outform der \
  -in 'client1-cert.pem' -out 'client1-cert.crt'
  
#import the client certificate to the broker's truststore
printf "yes\n" |keytool -import -file 'client1-cert.crt' \
  -alias 'client1' \
  -keystore 'broker-truststore.jks' \
  -storepass 'passwordillo'

    where:
    - client1 is an example client name;
    - broker-truststore.jks is an example broker’s trust store file path;
    - passwordillo is an example password to the broker's trust store.

  3. Example test command:

    Code Block
    languagebash
    mqtt sh
mqtt> connect --host localhost --port 8883 \
  --cafile server.pem \
  --cert client1-cert.pem \
  --key client1-key.pem

  4. Example X509 ESE preprocessor configuration

    Code Block
    languagexml
    <x509-preprocessor prefix="{{" postfix="}}">
        <x509-extraction>
            <x509-field>subject-alternative-common-names</x509-field>
            <ese-variable>string-4</ese-variable>
        </x509-extraction>
    </x509-extractions>
</x509-preprocessor>

  5. Example ESE Logging Preprocessor configuration:

    Code Block
    languagexml
    <logging-preprocessor>
    <message>ESE-Variable string-4(subject-alternative-common-names): ${string-4}</message>
    <level>debug</level>
    <name>com.example.logger</name>
</logging-preprocessor>

...