使用openssl生成证书，emqx tls 双向认证_openssl genrsa -des3 -passout pass:[password]-out -CSDN博客

本文链接：https://blog.csdn.net/yhtppp/article/details/112546069

本文介绍了本地PKI环境搭建，包括生成CA自签名证书、签发客户端和服务端证书，还介绍了使用openssl进行验证的方法，包括单向和双向认证测试。最后说明了将证书配置到EMQX的步骤，以及单向和双向验证的测试命令。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

0、本地PKI环境

TODO openssl.cnf

1、生成 CA 自签名证书
openssl genrsa -out certs/root-ca.key 2048 生成私钥
openssl req -new -x509 -days 365 -config ./openssl.cnf -key certs/root-ca.key -out certs/root-cacert.pem -subj "/C=CN/ST=NANJING/O=EMQ/CN=RootCA" 生成证书，pem文件，包含公钥和一些其他信息
openssl rsa -in certs/root-ca.key -text 查看私钥信息
openssl rsa -pubin -in rsa_public.key -text 查看公钥信息
openssl x509 -in certs/root-cacert.pem -noout -text 查看证书内容

2、签发客户端证书
openssl genrsa -out certs/client.key 2048
openssl req -new -days 365 -key certs/client.key -out certs/client-cert.csr -subj "/C=CN/ST=NANJING/O=EMQ/CN=Client"
openssl ca -config ./openssl.cnf -extensions v3_req -days 365 -in certs/client-cert.csr -out certs/client-cert.pem -cert certs/root-cacert.pem -keyfile certs/root-ca.key

3、签发服务端证书
openssl genrsa -out certs/server.key 2048
openssl req -new -days 365 -key certs/server.key -out certs/server-cert.csr -subj "/C=CN/ST=NANJING/O=EMQ/CN=Server"
openssl ca -config ./openssl.cnf -extensions v3_req -days 365 -in certs/server-cert.csr -out certs/server-cert.pem -cert certs/root-cacert.pem -keyfile certs/root-ca.key

4、验证

==》使用openssl verify验证

openssl verify -CAfile certs/root-cacert.pem certs/server-cert.pem 使用根证书验证签发的server证书

==》使用openssl s_server, s_client验证

单向认证测试
$ openssl s_server -accept 2009 -key certs/server.key -cert certs/server-cert.pem 开启认证server
$ openssl s_client -connect localhost:2009 -CAfile certs/root-cacert.pem -showcerts
Verify return code: 0 (ok)

双向认证测试
$ openssl s_server -accept 2009 -key certs/server.key -cert certs/server-cert.pem -CAfile certs/root-cacert.pem -Verify 1
$ openssl s_client -connect localhost:2009 -key certs/client.key -cert certs/client-cert.pem -CAfile certs/root-cacert.pem -showcerts
Verify return code: 0 (ok)

5、配置EMQX

cp certs/* /usr/local/src/emqx-centos7-v4.1.4/emqx/etc/certs/

配置 etc/emqx.conf文件，（参考下面的文件）

单向验证

echo -en "\x10\x0d\x00\x04MQTT\x04\x00\x00\x00\x00\x01a" | openssl s_client -connect localhost:8883 -CAfile certs/root-cacert.pem -showcerts

双向验证
echo -en "\x10\x0d\x00\x04MQTT\x04\x00\x00\x00\x00\x01a" | openssl s_client -connect localhost:8883 -CAfile certs/root-cacert.pem -cert certs/client-cert.pem -key certs/client.key -showcerts

参考：

https://www.openssl.org/

https://www.emqx.io/cn/blog/enable-two-way-ssl-for-emqx

https://www.jianshu.com/p/3659fa4bd226
https://blog.csdn.net/wzfgd/article/details/109805158
https://www.cnblogs.com/bluestorm/p/10571989.html