How to avoid the ca cert in the mosquitto pub and sub for ESP32

0
votes

I spent hours to to setup the TSL connection for my mosquitto broker in my raspberry. Now I can publish and subscribe topics in a client (on raspberry) using client certificate, client private key and ca certificate. It works correctly.

Now I want to create the client in the ESP32 (IDF platform). I started from the example called ssl_mutual_auth. Unfortunatly in the example is used the client certificate, client private key and a server certificate not the ca certificate. So.. I'm confused and I don't know how to manage the ca.crt file in esp32 client (or Mosquitto client). Do I need to change my certificates or my mosquittos configuration? I used this guide to configure my mosquitto broker : https://medium.com/himinds/mqtt-broker-with-secure-tls-communication-on-ubuntu-18-04-lts-and-an-esp32-mqtt-client-5c25fd7afe67

Here the Mosquitto.conf details where I set the path of certificates:

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

allow_anonymous false
password_file /etc/mosquitto/passwords
include_dir /etc/mosquitto/conf.d

cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
require_certificate true
use_identity_as_username true

Here what I did:

1-Create the CA Authority (for self signed certificates)

2-Create a Server Key, Servers csr and then server.crt (signed with ca.crt)

3-Create a Client Key, Client csr and then client.crt (signed with ca.crt)

In raspberry client, I use this to publish:

mosquitto_pub -t "test" -m "hello" -d --cert client.crt --key client.key --cafile ca.crt --insecure

And I use this to subscribe:

mosquitto_sub --cafile ca.crt -t "#" -d --cert client.crt --key client.key
1
sslmqttesp32
It's difficult to comment on whether you need to change your configuration since you didn't share it. Please include your Mosquitto configuration file in your question. - romkey
@romkey Thanks, I added more details in the question - Lorenzo
It's really not clear what you are asking here. The example in the link you supplied uses the CA cert to validate the broker not the Server cert. This is the right way this should work. - hardillb
@hardillb Yes this is why I'm confused. In the esp32 example (where I want to implant the client) is possible to specify: client key, client crt and server pem. I suppose what they call server.pem is the CA cert.. but how can I convert the CA crt into pem file then? - Lorenzo
The file extension is arbitrary, You need to go do some research on PEM vs DER certificate encoding, how to identify them and what openssl commands can be used to convert between them. - hardillb

1 Answers

1
votes

The ESP IDF documentation has a bit of a problem with PKI terminology. I'm pretty sure that when they say "server cert" they really mean "any certificate in the chain which validates the server's identity: CA, intermediate, or server cert". They make the same mistake in their HTTPS client docs.

Anyway, just feed your CA cert into the ESP sample project and try it out. Make sure it's in PEM format - check this answer for the details. Convert with openssl if needed.