Versions Compared

Old Version 2

changes.mady.by.user Finn Zirngibl

Saved on

compared with

New Version 3

changes.mady.by.user Finn Zirngibl

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
openssl verify -CAfile certs/ca.cert.pem \
      intermediate/certs/intermediate.cert.pem;


Should both be OK, it is time to create the certificate chain

Code Block
cat intermediate/certs/intermediate.cert.pem \
      certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem;

chmod ls444 intermediate/certs/ca-chain.cert.pem;

Sever Certificate

Next we will be creating a certificate and key for our server, sign it and generate the keystore to be used by HiveMQ. In the following examples, you will need to replace broker.hivemq.local with the FQDN of the individual nodes you are creating these for.

...

Code Block
openssl genrsa -aes256 \
      -out intermediate/private/broker.hivemq.local.key.pem 2048;

chmod 400 intermediate/private/broker.hivemq.local.key.pem;

Create a signing request

Code Block
openssl req -config intermediate/int-openssl.cnf \
      -key intermediate/private/broker.hivemq.local.key.pem \
      -new -sha256 -out intermediate/csr/broker.hivemq.local.csr.pem;

Sign the server’s key and generate its certificate

Code Block
openssl ca -config intermediate/int-openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/broker.hivemq.local.csr.pem \
      -out intermediate/certs/broker.hivemq.local.cert.pem;

chmod 444 intermediate/certs/broker.hivemq.local.cert.pem;


We now have all necessary parts to produce a keystore

Code Block
cat certs/ca.cert.pem intermediate/certs/intermediate.cert.pem intermediate/certs/broker.hivemq.local.cert.pem > ../keystores/broker.hivemq.local.chain.pem;

openssl pkcs12 -export -in ../keystores/broker.hivemq.local.chain.pem -inkey intermediate/private/broker.hivemq.local.key.pem > ../keystores/broker.hivemq.local.p12;

keytool -importkeystore -trustcacerts -srckeystore ../keystores/broker.hivemq.local.p12 -destkeystore ../keystores/broker.hivemq.local-keystore.jks -srcstoretype pkcs12 -destalias broker.hivemq.local -alias 1;

rm -f ../keystores/broker.hivemq.local.p12 ../keystores/broker.hivemq.local.chain.pem;

… and truststore

Code Block
keytool -import -trustcacerts -alias 'Root CA' -file certs/ca.cert.pem -keystore ../keystores/broker.hivemq.local-truststore.jks;

Client certificates

Now we can start creating certificates which our clients can present to the server while establishing a connection. You may replace client1 with any desired name.

As before, our starting point is to generate a key…

Code Block
openssl genrsa -aes256 \
      -out intermediate/private/client1.key.pem 2048;

chmod 400 intermediate/private/client1.key.pem;

…create a signing request for it

Code Block
openssl req -config intermediate/int-openssl.cnf \
      -key intermediate/private/client1.key.pem \
      -new -sha256 -out intermediate/csr/client1.csr.pem;

… and sign it/generate a certificate

Code Block
openssl ca -config intermediate/int-openssl.cnf \
      -extensions usr_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/client1.csr.pem \
      -out intermediate/certs/client1.cert.pem;

Now it is time to generate the client’s keystore…

Code Block
cat certs/ca.cert.pem intermediate/certs/intermediate.cert.pem intermediate/certs/client1.cert.pem > ../keystores/client1.chain.pem;

openssl pkcs12 -export -in ../keystores/client1.chain.pem -inkey intermediate/private/client1.key.pem > ../keystores/client1.p12;

keytool -importkeystore -trustcacerts -srckeystore ../keystores/client1.p12 -destkeystore ../keystores/client1-keystore.jks -srcstoretype pkcs12 -destalias client1 -alias 1;

rm -f ../keystores/client1.p12 ../keystores/client1.chain.pem;

…and truststore

Code Block
keytool -import -trustcacerts -alias 'Root CA' -file certs/ca.cert.pem -keystore ../keystores/client1-truststore.jks;