История
19 июля 2019
Новая страница: «Getting messages from the "test" topic on the example.com server»
−30
Новая страница: «Examples of client mosquitto commands. Sending a message to the "test" topic on the example.com server»
−55
Новая страница: «After restarting the local service mosquito topics /test/.. will be sent to the remote server example.com secure ssl channel.»
−105
Новая страница: «Also, if required, you can make the local mosquitto server on the controller forwarder some topics on a remote server. To do this, create a bridge file: '''/etc/m…»
−140
Новая страница: «Start service: <pre> service mosquitto start </pre>»
−16
Новая страница: «Copy the file '''ca.crt''', '''mosquitto.crt''', '''mosquitto.key''' to the server and edit the configuration file '''/etc/mosquito/conf.d/server.conf'''»
−47
Новая страница: «Generate a private key and certificate request:»
−44
Новая страница: «== Mosquitto settings ==»
−10
Новая страница: «To check the performance run ping:»
−49
Новая страница: «If all is well, then the system should appear tun0 interface with the address from the subnet 10.8.0.0/24:»
−53
Новая страница: «Then run the client:»
−36
Новая страница: «Next, create a client configuration file on the controller: client.ovpn: <pre> ------------------------------------------------------------------------- client de…»
−123
Новая страница: «after that, start the server with the command service openvpn start.»
−25
Новая страница: «Add the openvpn user to the i2c group to access the crypto device:»
−60
Новая страница: «Copy the file '''ca.crt''', '''example.crt''', '''example.key''' and '''dh2048.pem''' and edit the openvpn server configuration file. By default, the configuratio…»
−99
Новая страница: «Now let's start setting up openvpn server on the machine example.com»
−39
Новая страница: «Sign the request in our certification authority:»
−40
Новая страница: «Next, make a private key of our server and request a certificate. We assume, for example, that server has name example.com:»
−101
18 июля 2019
Новая страница: «It may take a few minutes to create this file.»
−61
Новая страница: «The openvpn server also needs a file with DH parameters, let's make it. <pre> openssl dhparam -out dh2048.pem 2048 </pre>»
−43
Новая страница: «Create file named req.cnf - we need it to make a server certificate. <pre> [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, ke…»
−64
Новая страница: «First, install the package:»
−23
Новая страница: «== Openvpn configuration ==»
−5
Новая страница: «Now, when you access http on the local port 8080, encrypted requests with authentication information will be sent to the server example.com»
−116
Новая страница: «Run the command '''service nginx restart''' to update the configuration.»
−41
Новая страница: «Add the www-data user to the i2c group to access the crypto device: <pre> usermod -G www-data </pre>»
−60
Новая страница: «First, we will create a server on the unused local http port, which will do the following all https "magic" for us:»
−82
Новая страница: «Now let's make http requests from WB controller pass this check. For simplicity, we will use nginx on the client side. This will give the opportunity to work with…»
−212
Новая страница: «Nginx will now require a certificate from the client that must be validated by a ca.crt, otherwise the server returns an error 400 to the client:»
−105
Новая страница: «For example, suppose you have a server on the Internet that must process requests only from devices that have certificates, issued by our CA. To enable this check…»
−206
Нет описания правки
−1
Новая страница: «== Nginx. configuration ==»
−5
Новая страница: «Well, the certificate is signed "by itself" <pre> openssl verify -CAfile ca.crt ca.crt ca.crt: OK </pre> '''»
−23
Новая страница: «The device certificate is signed by a CA certificate and can be verified by it: <pre> openssl verify -CAfile ca.crt device_AP6V5MDG.crt device_AP6V5MDG.crt: OK <…»
−53
Новая страница: «Thus, the chain of trust (verification) is built as follows:»
−76
Новая страница: «We see that the certificate is signed by its own private key (Issuer: CN = MY CA, Subject: CN = MY CA) and discharged for 10 years: starting with "Feb 4 14:30:01…»
−90
Новая страница: «A digital signature ensures that no part of the certificate can be tampered. In case of a change, a public inspection with the key '''CA''' will show an error.»
−130
Новая страница: «We see that the certificate is issued by a Certification Authority named "MY CA" for 1 year, starting with "Feb 4 14:50:14 2019 GMT" (for this we specified -days…»
−184
Новая страница: «Let's see what is there in the CA and device certificate files:»
−68
Новая страница: «In this command, we specify the request file and the CA files required for signing. The result is a device certificate device_AP6V5MDG.crt. File '''device_AP6V5MD…»
−132
Новая страница: «Next, we sign this request in our certification authority: openssl x509 -req -in device_AP6V5MDG.csr -CA ca.crt -CAkey ca.key-out device_AP6V5MDG.crt -days 365 -C…»
−51
Новая страница: «You can choose any unique name, it is convenient for this purpose to use the device ID, which is prescribed by default in /etc/hostname:»
−134
Новая страница: «In this command, we specify that the request is signed with a private key that is in the ateccx08 crypto device with ID '''ateccx08:00:04:C0:00''' and public name…»
−154
Новая страница: «Next, create a request for a device certificate on the Wiren Board controller:»
−37
Новая страница: «'''CA''' is the basis of security in this scheme, so these operations are performed on the machine that is accessed only the owner of the '''CA'''.»
−107
Новая страница: «And certificate of our '''CA''':»
−14
Новая страница: «To do this, generate a key pair: <pre>openssl genrsa -out ca.key 2048</pre>»
−35
Новая страница: «Now let's start creating certificates. First, we will create our own Certification Authority ('''CA'''):»
−92
Новая страница: «Next you need to edit the ''/etc/ssl/openssl.cnf''' file, adding the following lines:»
−63
Новая страница: «To access the crypto device needs a library libateccssl1.1, install it with the command:»
−59