在 Mosquitto MQTT SSL/TLS 实例和客户端 java 应用程序中使用 DigiCert 全球根 CA

Using DigiCert Global Root CA in a Mosquitto MQTT SSL/TLS instance and client java application

我是 运行 用于 TLS1.2 的 Mosquitto MQTT 成功使用从 OpenSSL 生成的证书并在 mosquitto 配置文件中使用。这也涉及到Java客户端手动指定连接mosquitto的CA证书文件

我想使用 Java 密钥库中的 DigiCert Global Root CA

当前设置

此 Mosquitto 配置文件如下所示:

cafile .\m2mqtt_ca.crt

# PEM encoded server certificate.
certfile .\m2mqtt_srv.crt

# PEM encoded keyfile.
keyfile .\m2mqtt_srv.key

tls_version tlsv1.2

这些证书是使用 OpenSSL 使用以下命令生成的:

# generate key
openssl genrsa -des3 -out m2mqtt_ca.key 2048

# create CA certificate
openssl req -new -x509 -days 3650 -key m2mqtt_ca.key -out m2mqtt_ca.crt

# create private key for the server
openssl genrsa -out m2mqtt_srv.key 2048

# create certificate request from CA
openssl req -new -out m2mqtt_srv.csr -key m2mqtt_srv.key

# verify and sign the certificate request
openssl x509 -req -in m2mqtt_srv.csr -CA m2mqtt_ca.crt -CAkey m2mqtt_ca.key -CAcreateserial -out m2mqtt_srv.crt -days 3650

它可以在客户端 java 应用程序中使用,使用以下内容:

package acme.messaging;

import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMParser;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.Security;

public class SslUtil {

    public static final SSLSocketFactory Instance;

    static {
        Instance = SslUtil.getSocketFactory(
                "N:\work\acme\mqtt-ssl\messaging\mqtt\certs\m2mqtt_ca.crt");
    }

    private static X509CertificateHolder loadCACert(String caCrtFile) throws IOException {
        PEMParser reader =
                new PEMParser(
                        new InputStreamReader(new ByteArrayInputStream(
                                Files.readAllBytes(Paths.get(caCrtFile)))));
        X509CertificateHolder caCert = (X509CertificateHolder) reader.readObject();
        reader.close();

        return caCert;
    }

    static SSLSocketFactory getSocketFactory(
            final String caCrtFile) {

        try {
            Security.addProvider(new BouncyCastleProvider());

            JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter();

            X509CertificateHolder caCertificateHolder = loadCACert(caCrtFile);

            // CA certificate is used to authenticate server
            KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
            caKs.load(null, null);
            caKs.setCertificateEntry("ca-certificate", jcaX509CertificateConverter.getCertificate(caCertificateHolder));
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(caKs);

            // finally, create SSL socket factory
            SSLContext context = SSLContext.getInstance("TLSv1.2");

            context.init(null, tmf.getTrustManagers(), null);

            return context.getSocketFactory();
        } catch (Exception ex) {
            return null;
        }
    }
}

// consume
String uri = "ssl://localhost:1884";
String clientId = "1002";

final MqttMessage mqttMessage = new MqttMessage();
String messageText = "Some data";
mqttMessage.setPayload(messageText.getBytes());

try (MqttClient client = new MqttClient(uri, clientId)) {
    if (!client.isConnected()) {
        final MqttConnectOptions options = new MqttConnectOptions();
        options.setUserName("acme-user");
        options.setPassword("acme-user".toCharArray());

        options.setSocketFactory(SslUtil.Instance);

        client.connect(options);
    }

    mqttMessage.setRetained(true);

    client.publish("test/writeme", mqttMessage);
}


问题

是否可以在 Mosquitto 中使用基于 DigiCert Global Root CA 的证书?

目前它存在于我的 Java 密钥库中:

可以导出,但不确定是否可以在OpenSSL工作流中正确使用。我已尝试在上述步骤中使用它,但这会产生错误。想法是生成相同的文件并将它们导入到蚊子配置中。

尝试通过 OpenSSL 重用 DigiCert 证书时出错

这里我确实尝试使用生成的文件和从 DigiCert

下载的文件

以下命令行生成于DigiCert website

openssl req -new -newkey rsa:2048 -nodes -out localhost.csr -keyout localhost.key -subj "/C=GB/ST=Durham/L=Durham/O=quorum/CN=localhost"
Can't load ./.rnd into RNG
8016:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto\rand\randfile.c:88:Filename=./.rnd
Generating a RSA private key
......................................................................................................................................................................+++++
.....................................................................................................+++++
writing new private key to 'localhost.key'

注意:我不知道这里的事件顺序。

然后是这些:

openssl x509 -req -in localhost.csr -CA DigiCertAssuredIDRootCA.crt -CAkey localhost.key -CAcreateserial -out m2mqtt_srv.crt -days 3650

错误:

Signature ok
subject=C = GB, ST = Durham, L = Durham, O = quorum, CN = localhost
unable to load certificate
9896:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

也试过这个:

openssl x509 -req -in localhost.csr -CA DigiCertAssuredIDRootCA.crt -CAkey DigiCertAssuredIDRootCA.crt.pem -CAcreateserial -out m2mqtt_srv.crt -days 3650

错误:

Signature ok
subject=C = GB, ST = Durham, L = Durham, O = quorum, CN = localhost
unable to load certificate
12904:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

如评论中所述。

您不能将证书签署为受信任的 CA(如果可以,您为什么要信任 CA?)。

您必须生成 CSR(证书签名请求)并将其发送给 CA 以供他们签名(通常会向您收费)。他们还将证明您拥有证书所代表的域。 (LetsEncrypt 使用 certbot 工具为您完成这一切,并将免费完成)。

此外,任何受信任的 CA 都不会为 localhost 签署证书。