I’m out of my wheelhouse when it comes to this and would like to know how to set up a certificate for OMG to connect to my AWS mqtt instance running Ubuntu. I’ve been able to connect my local node red server to my AWS mqtt broker using the instructions from StackOverflow. But I don’t know how to create additional client certificates for multiple OMG nodes to connect to my AWS mqtt broker.
The message you are receiving indicates that the broker’s server certificate is not trusted (because it is self-signed), therefore paho is not being correctly told it is trustworthy.
It is possible your fake certificate authority’s root certificate (the ca.crt file you feed to paho) is not properly signed or generated, or the certificates that Mosquitto is using are not signed correctly. Either way, you likely need to start the entire process over to be 100% certain everything was done right.
Generate the fake certificate authority's (CA) signing key
$ openssl genrsa -des3 -out ca.key 2048
Generate a certificate signing request for the fake CA
$ openssl req -new -key ca.key -out ca-cert-request.csr -sha256
Give the organization a name like "Fake Authority" and do not enter a common name (since your fake CA does not actually live on a server with a name)
Create the fake CA's root certificate
$ openssl x509 -req -in ca-cert-request.csr -signkey ca.key -out ca-root-cert.crt -days 365 -sha256
Create the server / mqtt broker's keypair
$ openssl genrsa -out server.key 2048
Create a certificate signing request using the server key to send to the fake CA for identity verification
$ openssl req -new -key server.key -out server-cert-request.csr -sha256
Give the organization a name like "Localhost MQTT Broker Inc." and the common name should be localhost or the exact domain you use to connect to the mqtt broker
Now acting as the fake CA, you receive the server's request for your signature. You have verified the server is who it says it is (an MQTT broker operating on localhost), so create a new certificate & sign it with all the power of your fake authority.
$ openssl x509 -req -in server-cert-request.csr -CA ca-root-cert.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
Now you have everything you need. Make sure (as in Steve’s tutorial) Mosquitto is loading the following in mosquitto.conf:
Make sure paho-mqtt is loading the fake CA’s root certificate.
client1.tls_set(ca_certs=“ca-root-cert.crt”)
This is how it knows that mosquitto’s server.crt is legitimately signed by a “real and trusted authority” and is not “self-signed” and thus untrusted. Mosquitto and paho should now be able to securely connect and communicate.
Yes. I have the mqtt_secure option selected and the port set to 8883. What I don’t know is how to create the required mqtt broker cert. I do have a working connection between my local Node Red machine and the AWS MQTT broker using these following files:
client.csr
client.key
ca-root-cert.crt
I’m just not familiar with key pair authentication to know what to do next. Do I create another cert or key. Do reuse an existing from the instructions included herein? My preference is to have multiple OMG nodes with individual keys that I can revoke.
Nice and thank you. I am still having difficulty placing the certs into the mqtt broker cert field. As I understand the library, there are 3 files that are Const variables, beginning with line 54, that are required for the connection.
I have the certs and used the certificate_generator.sh. The script will convert the individual files into a single esp_certificates.c file with the correct syntax for the example .ino. However, the mqtt broker cert field has a text limit that will not take formatted esp_certificates.c information.