How to set a TLS certificate for OpenMQTTGateway with openssl (really an openssl question)

Hey folks,

I’m out of my wheelhouse when it comes to this and would like to know how to set up a certificate for OMG to connect to my AWS mqtt instance running Ubuntu. I’ve been able to connect my local node red server to my AWS mqtt broker using the instructions from StackOverflow. But I don’t know how to create additional client certificates for multiple OMG nodes to connect to my AWS mqtt broker.

The message you are receiving indicates that the broker’s server certificate is not trusted (because it is self-signed), therefore paho is not being correctly told it is trustworthy.

It is possible your fake certificate authority’s root certificate (the ca.crt file you feed to paho) is not properly signed or generated, or the certificates that Mosquitto is using are not signed correctly. Either way, you likely need to start the entire process over to be 100% certain everything was done right.

Generate the fake certificate authority's (CA) signing key
$ openssl genrsa -des3 -out ca.key 2048

Generate a certificate signing request for the fake CA
$ openssl req -new -key ca.key -out ca-cert-request.csr -sha256
    Give the organization a name like "Fake Authority" and do not enter a common name (since your fake CA does not actually live on a server with a name)

Create the fake CA's root certificate
$ openssl x509 -req -in ca-cert-request.csr -signkey ca.key -out ca-root-cert.crt -days 365 -sha256

Create the server / mqtt broker's keypair
$ openssl genrsa -out server.key 2048

Create a certificate signing request using the server key to send to the fake CA for identity verification
$ openssl req -new -key server.key -out server-cert-request.csr -sha256
    Give the organization a name like "Localhost MQTT Broker Inc." and the common name should be localhost or the exact domain you use to connect to the mqtt broker

Now acting as the fake CA, you receive the server's request for your signature. You have verified the server is who it says it is (an MQTT broker operating on localhost), so create a new certificate & sign it with all the power of your fake authority.
$ openssl x509 -req -in server-cert-request.csr -CA ca-root-cert.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

Now you have everything you need. Make sure (as in Steve’s tutorial) Mosquitto is loading the following in mosquitto.conf:

listener 8883
cafile certs\ca-root-cert.crt
keyfile certs\server.key
certfile certs\server.crt

Make sure paho-mqtt is loading the fake CA’s root certificate.

client1.tls_set(ca_certs=“ca-root-cert.crt”)

This is how it knows that mosquitto’s server.crt is legitimately signed by a “real and trusted authority” and is not “self-signed” and thus untrusted. Mosquitto and paho should now be able to securely connect and communicate.

Hello,

For information the last version of OMG doesn’t verify per default the root authority, you need to activate a macro to have it verifiying

Did you try the last version with mqtt_secure option (in the wifi manager portal) and port 8883?

Yes. I have the mqtt_secure option selected and the port set to 8883. What I don’t know is how to create the required mqtt broker cert. I do have a working connection between my local Node Red machine and the AWS MQTT broker using these following files:
client.csr
client.key
ca-root-cert.crt

and these instructions:

sudo openssl genrsa -out client.key 2048
sudo openssl req -new -out client.csr -key client.key
sudo openssl x509 -req -in client.csr -CA ca-root-cert.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360

I’m just not familiar with key pair authentication to know what to do next. Do I create another cert or key. Do reuse an existing from the instructions included herein? My preference is to have multiple OMG nodes with individual keys that I can revoke.

Or maybe use a set of keys for all connections and pair with user authentication for access control.

Trying to state this better in this post.

What information goes into the mqtt_secure option (in the wifi manager portal) while using port 8883?

Here’s what I have:
Server certificate: server.crt
Server Key: server.key
Root Certificate: root.crt

I only know how to generate the following:
For MQTT clients (IoT devices, MQTT client software, etc) generate the needed certificate and keys:

  1. Create a client key:

openssl genrsa -out client.key 2048

  1. Create a client certificate request (this is an intermediary file):

openssl req -new -key client.key -out client.csr

  1. Create a client certificate:

openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in client.csr -out client.crt

  1. Copy the following to the device or client software:

Server Certificate: server.crt (from the previous section above)
Client certificate: client.crt
Client Key: client.key

Hello,

You can take a look below:

It shows how to generate the certs and how to use them (we are using the same library)

Nice and thank you. I am still having difficulty placing the certs into the mqtt broker cert field. As I understand the library, there are 3 files that are Const variables, beginning with line 54, that are required for the connection.

const char* CA_cert =
const char* ESP_CA_cert =
const char* ESP_RSA_key=

I have the certs and used the certificate_generator.sh. The script will convert the individual files into a single esp_certificates.c file with the correct syntax for the example .ino. However, the mqtt broker cert field has a text limit that will not take formatted esp_certificates.c information.

Here is the match between the lib and OMG code in the section MQTT_SECURE_SELF_SIGNED:

CA_cert = ss_server_cert
ESP_CA_cert = ss_client_cert
ESP_RSA_key= ss_client_key

The certificates generated (individual files) need to be opened and placed in the User_config.h.

You don’t need to use const char* certificate PROGMEM. This one is for certificates signed by a trusted authority (not self-signed)