通过TLS连接到MQTT服务器的CA证书-iot.eclipse.org

Question

I want to connect to ssl://iot.eclipse.org:8883 using Client certficate authentication.

How I can obtain CA certificate?

Do I require to generate my own client certificate with provided CA certificate. Or client certificate is also bundled along with CA certificate.

Answer 1

Using openssl to check it appears that the certificate for iot.eclipse.org is from the Let's Encrypt project.

$ openssl s_client -showcerts -connect iot.eclipse.org:8883CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=iot.eclipse.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----

So you should be able to check this certificate is valid with the standard CA set in most modern OS/Applications.

You will not be able to get hold of the CA cert/private key to generate your own client certs for obvious reasons and they do not issue client certificates ( and that is assuming that the eclipse.org broker is set up to authenticate clients with the same CA, it doesn't have to).

Also it doesn't make sense to authenticate against this broker as you have no way to set an ACL to control which users can subscribe/publish to specific topics as it's a public demonstration broker. If you want to secure access then you will have to run your own public broker

EDIT: You don't want to do client certificate authentication, you just want to verify the server cert, this is very different.

To do this with mosquitto_pub or mosquitto_sub you have to specify a CA cert or a path to a directory of multiple certificates in order to enable ssl/tls for the connection. You would specify an individual CA cert if you were using a private CA, but since the iot.eclipse.org broker is using a well known public CA you need to specify the path to the system collection of CA certs.

On Linux that is /etc/ssl/certs so you would publish as follows:

mosquitto_pub -h iot.eclipse.org -p 8883 --capath /etc/ssl/certs/ -t testing/ben -m foo

Answer 2

If a certificate is like a passport which proves your identity, then CA is just like a passport office( 1 ). You could consider Verisign, Entrust etc as passport offices. CA certficate is analogous to passport office providing a way to check if a passport is valid or not.

To prove their identity any two parties,( read server and client ), could use certificates. To verify the authenticity of a party( read server ), you need CA certificate. Linux system(Ubuntu) holds commonly used CA certificates at /etc/ssl/certs .

A client certificate is needed only if you need to authenticate yourself to the server. Here server is iot.eclipse.org which doesn't ask for client authentication and so you don't need client certificate.

So, to communicate securely with server ( read TLS ), you can use the CA store present in your system(Ubuntu) as below.

mosquitto_pub -h iot.eclipse.org -p 8883 -t my_topic -m my_message --capath /etc/ssl/certs/