mosquitto-users team mailing list archive

["Brian Reinhold" <brianreinhold@xxxxxxxxxxxxxxxxxxx>]

Roger,

I should clarify. All of the APIs I have worked with generate the public certificate from the private key on the fly so the X509 certificate for the server is not needed on the server side. Of course the client must have it in its truststore but configuring the client is not of concern here. I am just trying to find out what is needed on the server side. Clearly if the server APIs do not generate the public certificate when doing the TLS hello, then one will be needed.

I was wondering if I could put the client's public certificate in the same directory as the server's private key (and server's certificate). This is needed when doing client authentication.

Thanks,

Brian

-----Original Message-----
From: rogerlight@xxxxxxxxx [mailto:rogerlight@xxxxxxxxx] On Behalf Of Roger Light
Sent: Monday, December 02, 2013 6:24 PM
To: Brian Reinhold
Cc: mosquitto-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Mosquitto-users] Understanding how the mosquitto server uses SSL

On Mon, Dec 2, 2013 at 10:42 PM, Brian Reinhold <brianreinhold@xxxxxxxxxxxxxxxxxxx> wrote:
> Thanks Roger,
>
> That does help. It whittles down the possibilities.
>
> So if I have a private key for the server (now in a keystore in jks 
> format encrypted by a password) and a self signed X509 certificate 
> from the client in my truststore (also in a truststore in jks format 
> encrypted with a password), how would I set this up for mosquito?
> I can export the private key from the keystore in PEM format and I can 
> do the same for the public certificate in the truststore.

Yes, this would work.

> The two files are sufficient for mutually authenticated TLS.

I disagree. How can the client trust the server without first knowing something about it? It can't have the private key of the server, so based on those two files the client does not know anything about the server in advance.

> Somehow I get the impression that I need a third certificate minimum 
> to work with Mosquitto, for example the public certificate matching 
> the server's private key. (All my 'public' certificates at this time 
> are self-signed).

That is correct, the client needs to know who to trust. In normal TLS situations this would be a CA certificate and anything signed by that certificate or chain, but a self-signed certificate should also work.

> If I have these two files now in PEM format, how would I configure 
> Mosquitto to use them?

Set keyfile to your private key, generate a certificate to go with the private key and set that as certfile. Concatenate the self-signed server certificate and client certificate and use the result with the cafile option.

> Can they be in the same directory?

Yes.

> Do I have to generate a public certificate from the server's private 
> key (I can easily generate a self-signed certificate)?

Yes.

> Can all public certificates be self-signed?

Self-signed should be no problem, but I don't tend to look at it because using my own fake CA is easy and a more useful test. If it doesn't work it needs fixing, but I'm sure it is fine.

Cheers,

Roger


-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4259 / Virus Database: 3629/6886 - Release Date: 12/02/13

-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4259 / Virus Database: 3629/6886 - Release Date: 12/02/13