Setting up the PKI infrastructure

How to setup the PKI infrastructure for MQTT in the United Manufacturing Hub



First, you need to install easy-rsa. In Ubuntu, you do this via sudo apt-get install easy-rsa

Initially setting up the infrastructure

Create a new directory and go into it, e.g.

mkdir ~/UMH_PKI/ && cd ~/UMH_PKI/

Enable batch mode of easyrsa with export EASYRSA_BATCH=1

Setup basic PKI infrastructure with /usr/share/easy-rsa/easyrsa init-pki

Copy the default configuration file with cp /usr/share/easy-rsa/vars.example pki/vars and edit it to your liking (e.g. adjust EASYRSA_REQ_… and CA and cert validity)

Build the CA using export EASYRSA_REQ_CN=YOUR_CA_NAME && /usr/share/easy-rsa/easyrsa build-ca nopass. Replace YOUR_CA_NAME with a name for your certificate authority (CA), e.g., UMH CA

Create the server certificate by using the following commands (exchange with your domain!):

/usr/share/easy-rsa/easyrsa gen-req nopass
/usr/share/easy-rsa/easyrsa sign-req server

If you need to generate a certificate for an IP instead of a domain name, use the following command instead (exchange with your IP):

/usr/share/easy-rsa/easyrsa --subject-alt-name**=**"IP:" gen-req nopass
/usr/share/easy-rsa/easyrsa sign-req server

Copy the private key pki/private/ and the public certificate pki/issued/ together with the root CA pki/ca.crt to the configuration of the MQTT broker.

Adding new clients

Create new clients with following commands (remember to change TESTING with the planned MQTT client id):

export EASYRSA_REQ_CN=TESTING && /usr/share/easy-rsa/easyrsa gen-req $EASYRSA_REQ_CN nopass && /usr/share/easy-rsa/easyrsa sign-req client $EASYRSA_REQ_CN nopass
Last modified October 5, 2022: Historian article (#107) (5f30dc0)