Enhance Security: Enable 2-Way SSL/TLS for EMQX

Enhance EMQX security with two-way SSL/TLS. Our comprehensive guide provides step-by-step instructions for enabling robust encryption and authentication.

Generate a self-signed CA certificate:

 openssl genrsa -out ca.key 2048

Create the root certificate for EMQX using the CA key:

  openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem

Generate a server certificate for EMQX:

 openssl genrsa -out emqx.key 2048

You have create openssl.cnf
Example of content: openssl.cnf

 [req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = IN
stateOrProvinceName = GUJARAT
localityName = SURAT
organizationName = IOT
commonName = mqtts.weanswer.xyz
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 206.189.140.151
DNS.1 = mqtts.weanswer.xyz

Generate a certificate signing request (CSR) for the server:

 openssl req -new -key ./emqx.key -config openssl.cnf -out emqx.csr

Use the CA certificate to sign the server certificate:

 openssl x509 -req -in ./emqx.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out emqx.pem -days 3650 -sha256 -extensions v3_req -extfile openssl.cnf

Generate a client certificate:

 openssl genrsa -out client.key 2048

Create a client certificate signing request (CSR):

 openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=EMQX/CN=client"

Sign the client certificate using the CA certificate:

 openssl x509 -req -days 3650 -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem

By following these steps, you will generate a self-signed CA certificate, create the root certificate for EMQX, issue a server certificate, and generate a client certificate for secure communication within your EMQX environment.