Awesome
Mosquitto_CA_and_Certs
A simple bash script that automatically generates an EC, ED25519 or RSA Self Signed CA, a Mosquitto Server Cert and Key and any number of Client Certs and Keys as needed
Trying to find information on how to use Elliptical Curve (EC) keys and certificates to secure MQTT TLS/SSL sessions to a mosquitto server is tricky. The web is full of overly complicated and recently deprecated openssl instructions for other platforms, almost always only covering how to create RSA keys, RSA certificates and self signed RSA CA authorities. At the time of writing, I couldn't find anything on how to create an Elliptical Curve (EC) self signed TLS solution that worked for micropython running on the Raspberry Pi Pico W. So I did the logical thing and asked in the micropython forum here, where @Carglglz and @peterhinch patiently explained to me where I had gone wrong with my micropython TLS code - but I still had to work out how to create the right kind of CA which played nicely with micropython, mosquitto and my Raspberry Pi based server.
It transpires that the Pico W micropython uses mbedtls for its backend TLS (SSL), and that mbedtls doesn’t currently support ED25519 keys. However, it does support ECDSA-secp384r1 or ECDSA-secp256r1. Using ECDSA is far more efficient than RSA as there is physically far less data that needs transmitting as the keys are smaller due to the technological differences between EC and RSA.
I spent quite a while researching to find a straightforward way of creating a slimline, self signed ECDSA-secp384r1 CA for the mosquitto server, along with the server and client keys and certs. Interestingly, it turns out that all the fields other than the CN (Common Name) in a certificate are optional. As we are busy trying to reduce the data transmission overheads for a self signed certificate, that means that all the other fields count as dead weight. All you actually need for a working cert is the CN. Literally nothing else. Plus, Subject Alternative Names (SAN) allow the server cert to authenticate requests to either the server IP, name or FQDN – which also makes life much easier.
I decided to separate the key generation from the certificate generation and signing, as breaking everything up into clear, logical units made understanding and organsing it much simpler. I also discovered that while creating certs, keys & CA's that a single typo can cause you untold grief, so I created a bash script to do everything for me.
I needed to be able to accurately create a Self Signed CA with a Cert in both PEM and DER formats, a Mosquitto Server Key & Cert in PEM format and a handful of Client Keys & Certs, some PEM and some DER format. Doing this by hand is an absolute nightmare and takes ages, but doing it by bash script takes a couple of seconds & had zero chance of typos.
The ca_maker script is very careful not to delete or overwrite anything. If it finds existing certs, it renames that folder, creates its own dir structure, then populates that instead - likewise for the client_maker script.