emqx开启ssl前需要一些准给工作,其他需要自签名证书也可参考。
生成ca证书
1
2
3
4
5
6
7
8
9
| openssl req \
-new \
-newkey rsa:2048 \
-days 36500 \
-nodes \
-x509 \
-subj "/C=CN/O=EMQ Technologies Co., Ltd/CN=EMQ CA" \
-keyout ca.key \
-out ca.pem
|
生成服务端证书
1
2
| # 生成server.key
openssl genrsa -out emqx.key 2048
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| # 手动创建openssl.cnf配置文件,目的是设置ip和域名
# 参考默认路径/etc/pki/tls/openssl.cnf
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = Jiangsu
localityName = Suzhou
organizationName = EMQX
commonName = CA
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.1
DNS.1 = *.hylove.site
openssl req -new -key ./emqx.key -config openssl.cnf -out emqx.csr
|
1
2
3
| # 生成服务端证书
openssl x509 -req -in ./emqx.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out emqx.pem -days 36500 -sha256 -extensions v3_req -extfile openssl.cnf
|
客户端证书
1
2
3
4
5
6
| # 生成key文件
openssl genrsa -out client.key 2048
# 生成csr配置文件
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=Jiangsu/L=Suzhou/O=EMQX/CN=client"
# 生成pem证书
openssl x509 -req -days 36500 -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem
|
参考
https://blog.csdn.net/ywt092/article/details/134496250
wechat
