While working on an IoT project involving an MQTT server it came to be that I would be generating my own SSL certificates for the MQTT broker (mosquitto).

There are many guide out there on how to do this, and I have been in the situation of needing to generate my own SSL certificates for some reason or another in the past (for iOS applications, websites, etc). While most of the time you will create a CSR (certificate signing request) to be signed by a certificate authority (such as Let’s Encrypt), sometimes there is a need to setup such an infrastructure to self certify you own certificates.

How to submit certificates for signing through Let’s Encrypt is a discussion for another time but for now I would like to concentrate on self signed certificates.

The primary tool used for this is openssl which is almost always installed by default on MacOS and Linux computers. If using a Windows computer it might need to be installed. For development and testing of the included script MacOS Sonoma (14.4.1) was used on an M3 MacbookPro.

The commands for the script are fairly straight forward and will outline them here. Warning though is that there is no overwrite protection built into any of the scripts, if you run create_ca.sh twice, for example, it will overwrite your previous CA key and certificate (not good). I safety measure I use is to remove the execute permission on the scripts I don’t need to use anymore using the following command.
chmod u-x create_ca.sh

Firstly, after extracting the contents you should make sure the .sh files are executable using
chmod u+x *.sh

If you make a mistake and want to reset everything then the below command can be used, but everything will be deleted (including the root CA).
./reset_delete_all.sh

Next, we will need to generate the root CA that will be used to self sign certificates. This can be done using the following below command, the expiration will default to 3650 days (or 10 years) which is common to see in root certificates. By default no encryption will be applied to the root private key, but this can be changed by editing create_ca.sh and removing the line containing “-nodes” near the bottom of the file. Let’s go ahead and create the root certificate now using the below command. The words “mydomain.net Root CA” can be replaced by anything, this will be written to the “organization [O]” field on the certificate. Other parameters can also be set at the top of the create_ca.sh file prior to executing.
./create_ca.sh “mydomain.net Root CA”

Now that we have the root CA created we can create and sign one (or more) certificates. This can be done with the below command replacing “www.mydomain.net” with whatever you would like the “common name [CN]” to be. This is generally the website’s domain name. The second parameter is the number of days the certificate will be valid. This will default to 90 days if not provided.
./create_cert.sh www.mydomain.net 90

Now, looking at the directory structure the above created certificates should be found in the “certificates” subfolder under another subfolder under the “common name [CN]” name. The date/time is appended to filenames. The root CA will be found under the “ca” subfolder. The “ca.crt” can be safely provided to anyone and used to verify the certificates signed above. The “ca.key” should never be distributed or given to anyone as anyone that has the root CA private key can sign certificates.

In my cause, with mosquitto I upload the “ca.crt” file to the server and use it as the “ca certificate” which allows client verification and authentication. Each client will also need to have the “ca.crt” file specified as the root or CA certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *