In this project the idea is to provide a secure communication between client and Mosquitto broker using SSL/TLS to this project.
SECURITY FEATURES:
- Both clients are authenticated with username and password;
- Certificates and keys were created for the Mosquitto broker only.
Create the Root CA is the first step to enable secure SSL/TLS communication. Once the RootCA has been created, it will be possible to use it to authenticate the Mosquitto broker's certificate.
-
Open the terminal and go to the folder where you want to create the Root CA.
-
Use the following command to create a configuration file for OpenSSL. The following procedure will have to be repeated twice, because we need two different configurations (one for the rootCA and one for the server). We have used the following name for the second file
openssl-s.cnf.nano openssl-ca.cnfInsert the following template in the file
openssl-ca.cnf:[ req ] prompt = no default_bits = 2048 default_md = sha256 distinguished_name = dn [ dn ] C = IT ST = State L = City O = Organization Name OU = Organizational Unit Name CN = Common Name (e.g. localhost, IP address) emailAddress = Email Address
This template defines some useful parameters for the creation of the certificate, such as the number of bits of the key, the hashing algorithm used and distinctive data such as the country, state, city, organization name and common name of the certificate.
It's important thatOrganization NameandOrganization Unit Nameare different in the two files. -
Save the two files and then proceed to create the private key.
-
Use the following command to generate a 2048-bit private key for the Root CA (Make sure you are in the same directory where you saved the
openssl-ca.cnffile). The key will be protected by a passphrase.openssl genrsa -des3 -out rootCA.key 2048
-
Use the following command to create the Root CA certificate:
openssl req -new -x509 -key rootCA.key -days 365 -out rootCA.crt -config openssl-ca.cnf
This command will create a
rootCA.crtfile in your folder, containing the Root CA certificate.
Now, you need to create a certificate for the Mosquitto broker and configure the broker properly to use the signed certificate.
-
Create the public and private key for the broker using the following command:
openssl genrsa -out broker.key 2048This key couple is needed to create a certificate request file (CSR) for the Mosquitto broker, which will contain its public key. The Mosquitto broker's certificate will then be signed with our Root CA.
-
Create a certificate request file (CSR) for the Mosquitto broker with the command:
openssl req -new -key broker.key -out broker.csr -config openssl-s.cnf -
Sign the CSR with our Root CA to generate the Mosquitto broker's certificate with the command:
openssl x509 -req -in broker.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out broker.crt -days 3650 -sha256 -
After generating all the files, copy
rootCA.crt,broker.crtandbroker.keyto the RaspberryPi. The following commands were used to copy the certificates into Mosquitto'scertsfolder.sudo cp /home/labiot/Desktop/cryptomat/broker.key /etc/mosquitto/certs/ sudo cp /home/labiot/Desktop/cryptomat/broker.crt /etc/mosquitto/certs/ sudo cp /home/labiot/Desktop/cryptomat/rootCA.crt /etc/mosquitto/certs/ -
Configure the Mosquitto broker to use the signed certificate by adding these lines (absolute path) in the broker's configuration file
mosquitto.conf:sudo /etc/init.d/mosquitto stop sudo nano /etc/mosquitto/mosquitto.conflistener 8883 allow_anonymous true cafile /etc/mosquitto/certs/rootCA.crt certfile /etc/mosquitto/certs/broker.crt keyfile /etc/mosquitto/certs/broker.keysudo service mosquitto start
To add an extra layer of security, the broker can be configured to require client authentication via a valid username and password before allowing the connection. Since we are using SSL/TLS, username and password will be encrypted during transmission.
-
Create the password file and the new user with the following command. Then enter the password. (We created two users, arduino_client and node_red)
mosquitto_passwd -c passwordfile <username>To add other users use the following command, adding username and password.
mosquitto_passwd -b passwordfile <username> <password> -
Copy the
passwordfilein the Mosquitto folder and modify themosquitto.confadding the following lines.sudo cp /home/labiot/Desktop/cryptomat/passwordfile /etc/mosquitto/sudo /etc/init.d/mosquitto stop sudo nano /etc/mosquitto/mosquitto.confallow_anonymous false password_file /etc/mosquitto/passwordfile
- Access to
http://localhost:1880and modify the configuration of the broker node changing the port to8883and setting the use ofTLS. - Set username and password for NodeRed client.
- Deploy and check the connection of each node.
Before proceeding with sending the messages from the Arduino we will simulate the client with our pc to check if all the procedure carried out previously is correct.
-
Publish a test message on the
street_lightstopic. In this command you need to replace the rootCA path, the hostname and the password.mosquitto_pub --cafile /Users/benedettosimone/Desktop/cryptoMat/rootCA.crt -h 192.168.1.121 -t topic/street_lights -m "Test message" -u arduino_client -P <pwd>
In order to use certificates on any board equipped with NINA Wi-Fi module, we used arduino-fwuploader to flash the certificate using the following command.
- Convert the
rootCA.crtin.pemformat.
openssl x509 -in rootCA.crt -out rootCA.pem
- Flash the certificates. Replace your arduino-fwuploader path and the rootCA path.
/Users/benedettosimone/Downloads/arduino-fwuploader_2.2.2_macOS_64bit/arduino-fwuploader certificates flash --url arduino.cc:443,google.com:443 -f /Users/benedettosimone/Desktop/cryptoMat/rootCA.pem -b arduino:megaavr:uno2018 -a /dev/cu.usbmodem14102