12 063
правки
(Новая страница: «Next, create a request for a device certificate on the Wiren Board controller:») |
(Новая страница: «Getting messages from the "test" topic on the example.com server») |
||
(не показаны 42 промежуточные версии этого же участника) | |||
Строка 45: | Строка 45: | ||
<pre>openssl req -new -engine ateccx08 -keyform engine -key ATECCx08:00:04:C0:00 -subj "/CN=wirenboard-AP6V5MDG" -out device_AP6V5MDG.csr</pre> | <pre>openssl req -new -engine ateccx08 -keyform engine -key ATECCx08:00:04:C0:00 -subj "/CN=wirenboard-AP6V5MDG" -out device_AP6V5MDG.csr</pre> | ||
In this command, we specify that the request is signed with a private key that is in the ateccx08 crypto device | |||
with ID '''ateccx08:00:04:C0:00''' and public name wirenboard-AP6V5MDG. The request is placed in the file device_AP6V5MDG.csr. | |||
You can choose any unique name, it is convenient for this purpose to use the device ID, which is prescribed by default | |||
in /etc/hostname: | |||
<pre> | <pre> | ||
Строка 56: | Строка 56: | ||
</pre> | </pre> | ||
Next, we sign this request in our certification authority: | |||
openssl x509 -req -in device_AP6V5MDG.csr -CA ca.crt -CAkey ca.key -out device_AP6V5MDG.crt -days 365 -CAcreateserial | openssl x509 -req -in device_AP6V5MDG.csr -CA ca.crt -CAkey ca.key-out device_AP6V5MDG.crt -days 365 -CAcreateserial | ||
In this command, we specify the request file and the CA files required for signing. The result is a device certificate device_AP6V5MDG.crt. | |||
File '''device_AP6V5MDG.crt''' copy to the Wiren Board controller, it will be necessary for authorization. | |||
Let's see what is there in the CA and device certificate files: | |||
<pre> | <pre> | ||
Строка 107: | Строка 107: | ||
</pre> | </pre> | ||
We see that the certificate is issued by a Certification Authority named "MY CA" for 1 year, starting with "Feb 4 14:50:14 2019 GMT" (for this we specified -days 365 in the signature team), | |||
a device named '''wirenboard-AP6V5MDG''' that has a private key corresponding to the Subject Public Key Info. | |||
The certificate is digitally signed. | |||
A digital signature ensures that no part of the certificate can be tampered. In case of a change, a public inspection with | |||
the key '''CA''' will show an error. | |||
<pre> | <pre> | ||
Строка 177: | Строка 177: | ||
</pre> | </pre> | ||
We see that the certificate is signed by its own private key (Issuer: CN = MY CA, Subject: CN = MY CA) | |||
and discharged for 10 years: starting with "Feb 4 14:30:01 2019 GMT" (for this we indicated -days 3650 in the signature team) | |||
Thus, the chain of trust (verification) is built as follows: | |||
The device certificate is signed by a CA certificate and can be verified by it: | |||
<pre> | <pre> | ||
openssl verify -CAfile ca.crt device_AP6V5MDG.crt | openssl verify -CAfile ca.crt device_AP6V5MDG.crt | ||
Строка 188: | Строка 188: | ||
</pre> | </pre> | ||
Well, the certificate is signed "by itself" | |||
<pre> | <pre> | ||
openssl verify -CAfile ca.crt ca.crt | openssl verify -CAfile ca.crt ca.crt | ||
Строка 196: | Строка 196: | ||
== | == Nginx configuration == | ||
For example, suppose you have a server on the Internet that must process requests only from devices that have certificates, | |||
issued by our CA. | |||
To enable this check in the nginx configuration file, you need to write the following lines in the http or server section: | |||
<pre> | <pre> | ||
Строка 207: | Строка 207: | ||
</pre> | </pre> | ||
Nginx will now require a certificate from the client that must be validated by a ca.crt, otherwise the server | |||
returns an error 400 to the client: | |||
<pre> | <pre> | ||
Строка 222: | Строка 222: | ||
</pre> | </pre> | ||
Now let's make http requests from WB controller pass this check. | |||
For simplicity, we will use nginx on the client side. This will give the opportunity to work | |||
with secure servers for clients who can't make SSL connections. | |||
First, we will create a server on the unused local http port, which will do the following | |||
all https "magic" for us: | |||
<pre> | <pre> | ||
Строка 242: | Строка 242: | ||
</pre> | </pre> | ||
Add the www-data user to the i2c group to access the crypto device: | |||
<pre> | <pre> | ||
usermod -G www-data | usermod -G www-data | ||
</pre> | </pre> | ||
Run the command '''service nginx restart''' to update the configuration. | |||
Now, when you access http on the local port 8080, encrypted requests with authentication information will be sent to the server example.com | |||
<pre> | <pre> | ||
Строка 261: | Строка 260: | ||
</pre> | </pre> | ||
== | == Openvpn configuration == | ||
First, install the package: | |||
<pre> | <pre> | ||
Строка 269: | Строка 268: | ||
</pre> | </pre> | ||
Create file named req.cnf - we need it to make a server certificate. | |||
<pre> | <pre> | ||
[ v3_req ] | [ v3_req ] | ||
Строка 277: | Строка 276: | ||
</pre> | </pre> | ||
The openvpn server also needs a file with DH parameters, let's make it. | |||
<pre> | <pre> | ||
openssl dhparam -out dh2048.pem 2048 | openssl dhparam -out dh2048.pem 2048 | ||
</pre> | </pre> | ||
It may take a few minutes to create this file. | |||
Next, make a private key of our server and request a certificate. We assume, for example, that | |||
server has name example.com: | |||
<pre> | <pre> | ||
Строка 293: | Строка 292: | ||
</pre> | </pre> | ||
Sign the request in our certification authority: | |||
<pre> | <pre> | ||
Строка 299: | Строка 298: | ||
</pre> | </pre> | ||
Now let's start setting up openvpn server on the machine example.com | |||
Copy the file '''ca.crt''', '''example.crt''', '''example.key''' and '''dh2048.pem''' and edit the openvpn server configuration file. | |||
By default, the configuration file is in /etc/openvpn/server.conf | |||
<pre> | <pre> | ||
Строка 328: | Строка 327: | ||
</pre> | </pre> | ||
Add the openvpn user to the i2c group to access the crypto device: | |||
<pre> | <pre> | ||
Строка 334: | Строка 333: | ||
</pre> | </pre> | ||
after that, start the server with the command | |||
service openvpn start. | service openvpn start. | ||
Next, create a client configuration file on the controller: | |||
client.ovpn: | client.ovpn: | ||
<pre> | <pre> | ||
Строка 359: | Строка 358: | ||
------------------------------------------------------------------------- | ------------------------------------------------------------------------- | ||
</pre> | </pre> | ||
Note the line group i2c. It is necessary to work with the crypto device. | |||
Then run the client: | |||
<pre> | <pre> | ||
Строка 367: | Строка 366: | ||
</pre> | </pre> | ||
If all is well, then the system should appear tun0 interface with the address from the subnet 10.8.0.0/24: | |||
<pre> | <pre> | ||
Строка 380: | Строка 379: | ||
</pre> | </pre> | ||
To check the performance run ping: | |||
<pre> | <pre> | ||
Строка 389: | Строка 388: | ||
</pre> | </pre> | ||
== | == Mosquitto settings == | ||
UPD: | UPD: | ||
Строка 469: | Строка 468: | ||
Generate a private key and certificate request: | |||
<pre> | <pre> | ||
Строка 481: | Строка 480: | ||
</pre> | </pre> | ||
Copy the file '''ca.crt''', '''mosquitto.crt''', '''mosquitto.key''' to the server and edit the configuration file '''/etc/mosquito/conf.d/server.conf''' | |||
<pre> | <pre> | ||
Строка 491: | Строка 490: | ||
</pre> | </pre> | ||
Start service: | |||
<pre> | <pre> | ||
service mosquitto start | service mosquitto start | ||
</pre> | </pre> | ||
Also, if required, you can make the local mosquitto server on the controller | |||
forwarder some topics on a remote server. To do this, create a bridge file: '''/etc/mosquitto/bridge.conf''' | |||
<pre> | <pre> | ||
Строка 509: | Строка 508: | ||
</pre> | </pre> | ||
After restarting the local service mosquito topics /test/.. will be sent to the remote server example.com | |||
secure ssl channel. | |||
Examples of client mosquitto commands. | |||
Sending a message to the "test" topic on the example.com server | |||
<pre> | <pre> | ||
Строка 519: | Строка 518: | ||
</pre> | </pre> | ||
Getting messages from the "test" topic on the example.com server | |||
<pre> | <pre> | ||
mosquitto_sub -h example.com --cert device_AP6V5MDG.crt --key 'engine:ateccx08:ATECCx08:00:04:C0:00' -t "test" --cafile ca.crt | mosquitto_sub -h example.com --cert device_AP6V5MDG.crt --key 'engine:ateccx08:ATECCx08:00:04:C0:00' -t "test" --cafile ca.crt | ||
</pre> | </pre> |
правки