Search code examples
sslmqtttls1.2mosquittoca

MQTT mosquitto - set up client for intermediate CA

I have created CA, intermediate CA and certificates signed by intermediate CA by these commands:

CA:
openssl req -new -newkey rsa:4096 -days 365 -extensions v3_ca -subj "/C=CZ/ST=aa/L=bb/O=company/OU=development/CN=ca/" -nodes -x509 -sha256 -set_serial 0 -keyout ca.key -out ca.crt

Intermediate CA:
openssl genrsa -out subca.key 4096
openssl req -new -key subca.key -out subca.csr
openssl x509 -req -days 365 -in subca.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out subca.crt -extfile openssl.cfg -extensions v3_ca

Server:
openssl req -newkey rsa:4096 -nodes -keyout server.key -subj "/C=CZ/ST=aa/L=bb/O=company/OU=development/CN=server/" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=IP:177.18.0.1") -days 365 -in server.csr -CA subca.crt -CAkey subca.key -CAcreateserial -out server.crt

Client:
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -subj "/C=CZ/ST=aa/L=bb/O=company/OU=development/CN=client/" -out client.csr
openssl x509 -req -in client.csr -CA subca.crt -CAkey subca.key -CAcreateserial -out client.crt -days 365

When I verify server or client certificate, everything seems good. Verify command I use:

openssl verify -verbose -CAfile <(cat subca.crt ca.crt) server.crt

I want to connect to the mosquitto with TLS/SSl support with these certificates.

Mosquitto configuration:

listener 1883
require_certificate false
allow_anonymous true

listener 8883

capath /mosquitto/config/certs/ca/
certfile /mosquitto/config/certs/server.crt
keyfile /mosquitto/config/certs/server.key

require_certificate true
allow_anonymous true
use_identity_as_username true

But when I want to connect with my client, I do not know how to set function tls_set() for intermediate CA. Can you help me to setup this function ? When I look to the official documentation https://www.eclipse.org/paho/index.php?page=clients/python/docs/index.php#option-functions for function tls_set(), there is sentence that says:

"ca_certs = a string path to the Certificate Authority certificate files that are to be treated as trusted by this client."

But I don't know how to put more certificates there and I cannot use directory as argument.

Client code:

client = mqtt.Client(client_id='Monitoring Test',
                     clean_session=None,
                     userdata=None,
                     protocol=mqtt.MQTTv5,
                     transport='tcp')

client.on_message = on_message
client.tls_set(ca_certs="ca-chain.pem",
               certfile="client.pem",
               keyfile="client.key",
               tls_version=ssl.PROTOCOL_TLSv1_2)

client.connect("177.18.0.1", port=8883, keepalive=60)
client.subscribe("topic", qos=2)
client.loop_forever(timeout=60)

I know how to do it for root CA and signed certificate by this CA.

Solution

  • hardillb suggested me to use for client:

    cat subca.crt ca.crt > ca-chain.crt (order is important)

    When I used it only for client it still did not work, but as soon as I also used file ca-chain.crt for server, it works.

    So change line capath /mosquitto/config/certs/ca/ in mosquitto configuration and use cafile /mosquitto/config/test/ca-chain.pem instead.