Configuration of certifications and MQTT

Hello, I’m having several issues configuring SSL + MQTT + Certificates.

I’m following:

1: No matter which values i put into chirpstack-certificates/config/ca-config.json, the CA and all generated certificates have the duration of 5 years.

ca-config.json

{
  "signing": {
    "default": {
      "expiry": "80000h"
    },
    "profiles": {
      "client": {
        "expiry": "80000h",
        "usages": [
          "signing",
          "key encipherment",
          "client auth"
        ]
      },
      "server": {
        "expiry": "80000h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth"
        ]
      },
      "signing": {
        "expiry": "80000h",
        "usages": [
          "signing",
          "key encipherment"
        ]
      }
    }
  }
}

2: I’m trying to generate certificates for the [application_server.external_api], but I cannot find the scheme in “chirpstack-certificates” to generate a self signed certificate. That’s in order to secure a connection to it from outside using HTTPS. I’m aware of the fact that the browser would throw a error. It should be fine if I install the certificate on the technicians’ computers, but correct me if I’m wrong :).

3:I’m using docker-compose for the Application Server + Network Server. Is it necessary to have an internal SSL connection between the Application Server and Network Server between the dockers, to be able to have a secure MQTT/SSL connection towards the gateways? Is it necessary for the gateway key generation?

4: No matter what I write on client_cert_lifetime under [application_server.integration.mqtt.client], all certificates have the duration of 1 year from now.

chirpstack-application-server.toml

[join_server]
ca_cert="/etc/certs/ca/ca.pem"
tls_cert="/etc/certs/chirpstack-application-server/join-api/server/chirpstack-application-server-join-api-server.pem"
tls_key="/etc/certs/chirpstack-application-server/join-api/server/chirpstack-application-server-join-api-server-key.pem"

[application_server.integration.mqtt]
server="tcp://mosquitto:1883"
username="_USERNAME_"
password="_PASSWORD_"

[application_server.integration.mqtt.client]
ca_cert="/etc/certs/ca/ca.pem"
ca_key="/etc/certs/ca/ca-key.pem"
## Time expressed in hours ??
client_cert_lifetime="80000h"

[application_server.api]
public_host="chirpstack-application-server:8001"
ca_cert="/etc/certs/ca/ca.pem"
tls_cert="/etc/certs/chirpstack-application-server/api/server/chirpstack-application-server-api-server.pem"
tls_key="/etc/certs/chirpstack-application-server/api/server/chirpstack-application-server-api-server-key.pem"


[application_server.external_api]
## What to put here in terms of ca_cert, tls_cert, tls_key?

bind="0.0.0.0:8080"
jwt_secret="_JWT_SECRET_"

5: While using the default Mosquitto, which of the generated files under certs/mqrrt and certs/ca are the correct ones for the configuration options: certfile, keyfile, cafile?

6: Would the following config setup two Mosquitto listeners:
One local for the Application Server and Network server, through TCP
One secured through SSL with an ACL gateway_acl.acl

or have I missed something?

mosquitto.conf

per_listener_settings true

listener 1883 localhost
allow_anonymous false
password_file /mosquitto/config/mosquitto.passwd


listener 8883
allow_anonymous false
password_file /mosquitto/config/mosquitto_gateways.passwd
acl_file /mosquitto/config/gateway_acl.acl

require_certificate true
certfile mosquitto/certs/mqtt/????
keyfile mosquitto/certs/mqtt/mqtt-server-key.pem
cafile mosquitto/certs/mqtt/???

7: Would the following ACL be complete to limit the readability of the gateways to their own topics, being secured and identified through their key?

gateway_acl.acl

pattern readwrite gateway/%u/#
pattern readwrite application/%u/#

Thank you. I’ve been trying to solve these problems for a few days now, sorry for the numerous questions.