一、Mosquitto安裝

1.下載安裝
http://www.eclipse.org/downloads/download.php?file=/mosquitto/binary/win32/mosquitto-1.4.15a-install-win32.exe

二、OpenSSL安裝

1.下載安裝
http://slproweb.com/products/Win32OpenSSL.html

三、OpenSSL生成所需證書

1.生成CA的key和證書文件

使用命令為：

openssl req -new -x509 -days 36500 -extensions v3_ca -keyout ca.key -out ca.crt

該命令將為CA產(chǎn)生一個名字為“ca.key”的key文件和一個名字為“ca.crt”的證書文件，這個crt就是CA自己給自己簽名的證書文件。
該命令中選項“-x509”表示該條命令將產(chǎn)生自簽名的證書，一般都是測試的時候采用。

設(shè)置內(nèi)容：

Country Name (2 letter code) [AU]:CN ← 國家
State or Province Name (full name) [Some-State]:BeiJing ← 省
Locality Name (eg, city) []:BeiJing ← 市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不輸入
Common Name (eg, YOUR name) []: ← 此時不輸入
Email Address []:admin@mycompany.com ← 電子郵箱，可隨意填

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 可以不輸入
An optional company name []: ← 可以不輸入

2.創(chuàng)建服務(wù)器證書密鑰server.key

使用去除key文件口令的命令:

openssl rsa -in server.key -out server.key

3.創(chuàng)建服務(wù)器證書的申請文件server.csr

使用命令為：

openssl req -new -key server.key -out server.csr

設(shè)置內(nèi)容：

Country Name (2 letter code) [AU]:CN ← 國家名稱，中國輸入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省名，拼音
Locality Name (eg, city) []:BeiJing ← 市名，拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不輸入
Common Name (eg, YOUR name) []:10.8.4.205 ← 服務(wù)器IP地址
Email Address []:admin@mycompany.com ← 電子郵箱，可隨便填

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 可以不輸入
An optional company name []: ← 可以不輸入

4.創(chuàng)建自當(dāng)前日期起有效期為期兩年的服務(wù)器證書server.crt：

使用命令：

openssl x509 -req -days 730 -sha1 -extensions v3_req -CA ca.crt -CAkey ca.key -CAserial ca.srl -CAcreateserial -in server.csr -out server.crt

設(shè)置內(nèi)容：

Signature ok
subject=C = CN, ST = GUANGDONG, L = zhuhai, O = test1, OU = bb, CN = localhost, emailAddress = test2
Getting Private key
Enter pass phrase for server.key: -->輸入之前設(shè)置的密碼

5.創(chuàng)建客戶端證書密鑰文件client.key：

使用命令：

openssl genrsa -des3 -out client.key 2048

設(shè)置內(nèi)容：

[lenin@archer ~]$ openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
……………………………………………………………………………..+++
……………………………………………………………………………………………………….+++ e is 65537 (0×10001)
Enter pass phrase for client.key: ← 輸入一個新密碼
Verifying – Enter pass phrase for client.key: ← 重新輸入一遍密碼

6.創(chuàng)建客戶端證書的申請文件client.csr：

使用命令：

openssl req -new -key client.key -out client.csr

設(shè)置內(nèi)容為：

[lenin@archer ~]$ openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key: ← 輸入上一步中創(chuàng)建的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN ← 國家名稱，中國輸入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省名稱，拼音
Locality Name (eg, city) []:BeiJing ← 市名稱，拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不填
Common Name (eg, YOUR name) []:Lenin ← 自己的英文名，可以隨便填
Email Address []:admin@mycompany.com ← 電子郵箱，可以隨便填

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 可以不填
An optional company name []: ← 可以不填

7.創(chuàng)建一個自當(dāng)前日期起有效期為兩年的客戶端證書client.crt：

命令輸入：

openssl x509 -req -days 730 -sha1 -extensions v3_req -CA ca.crt -CAkey root.key -CAserial ca.srl -CAcreateserial -in client.csr -out client.crt

輸出內(nèi)容為：

[lenin@archer ~]$ openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./CN=www.mycompany.com/emailAddress=admin@mycompany.com
Getting CA Private Key
Enter pass phrase for root.key: ← 輸入上面創(chuàng)建的密碼

8.所需證書生成完畢

四、啟動Mosquitto測試

1.配置mosquitto.conf文件

port 8883
cafile C:/OpenSSL-Win64/bin/ca.crt ----> 指向生成的ca文件
certfile C:/OpenSSL-Win64/bin/server.crt
keyfile C:/OpenSSL-Win64/bin/server.key
allow_anonymous true
require_certificate true
use_identity_as_username true

2.啟動mosquitto

1.進入cmd模式，進入mosquitto目錄下，執(zhí)行以下命令使用配置文件啟動mosquitto

mosquitto -c mosquitto.conf

2.打開新的cmd界面，輸入訂閱命令：

mosquitto_sub -h 10.8.4.205 -p 8883 -t "x主題x" --cafile C:/OpenSSL-Win64/bin/ca.crt --cert C:/OpenSSL-Win64/bin/client.crt --key C:/OpenSSL-Win64/bin/client.key

3.打開新的cmd界面，輸入發(fā)布命令：

mosquitto_pub -h 10.8.4.205 -p 8883 -t "x主題x" -m "this is w show" --cafile C:/OpenSSL-Win64/bin/ca.crt --cert C:/OpenSSL-Win64/bin/client.crt --key C:/OpenSSL-Win64/bin/client.key

4.訂閱端即可收到發(fā)布端發(fā)布的信息：this is w show

五、結(jié)束

成功生成ssl證書，并且客戶端服務(wù)端通訊成功