added EMQX for MQTT protocol support

2025-09-30 12:27:42 +03:00
parent e0490e42c5
commit af252c4498
3 changed files with 110 additions and 3 deletions
--- a/readme.md
+++ b/readme.md
@@ -20,9 +20,10 @@ vault kv put kv/snoop \
  minio_presign_ttl_seconds="900"
 ```

-Unseal Key: gQrvvJBaGR4CpmkoVq93tWqk5dTpioMAHtNHKMWNlH0=
+Unseal Key 1: XdERN+/hxR9RjLC/S8c+y0omToYvB7Qs1jaUenZQvphD
+Unseal Key 2: VBhPBtYcq1GAk7ByPfAsamxV4tJOZ49chAYxxOvc49Oj

-Root Token: root
+Initial Root Token: hvs.tZ4eh9P18sCZ5c1PZIz59EmH


 {
@@ -35,4 +36,74 @@ Root Token: root
  "minio_records_bucket": "records",
  "minio_livestream_bucket": "livestream",
  "minio_presign_ttl_seconds": "900"
-}
+}
+
+### Stand up internal CA (root + intermediate)
+```bash
+# Enable PKI backends (root + intermediate)
+vault secrets enable -path=pki_root pki
+vault secrets tune -max-lease-ttl=87600h pki_root      # 10y
+
+vault write pki_root/root/generate/internal \
+  common_name="Snoop Root CA" key_type=ec key_bits=256 ttl=87600h
+
+vault secrets enable -path=pki_iot pki
+vault secrets tune -max-lease-ttl=17520h pki_iot       # 2y
+
+# Create an intermediate CSR
+vault write -field=csr pki_iot/intermediate/generate/internal \
+  common_name="Snoop IoT Intermediate" key_type=ec key_bits=256 ttl=17520h > iot_int.csr
+
+# Sign intermediate with root
+vault write -field=certificate pki_root/root/sign-intermediate csr=@iot_int.csr \
+  format=pem_bundle ttl=17520h > iot_int_signed.pem
+
+vault write -field=issuing_ca pki_root/root/sign-intermediate \
+  csr=@iot_int.csr format=pem_bundle ttl=17520h > root_ca.pem
+
+# Set the signed intermediate in Vault
+vault write pki_iot/intermediate/set-signed certificate=@iot_int_signed.pem
+```
+
+### Configure URLs + a role for devices
+```bash
+# Publish issuing + CRL URLs (Nginx will fetch CRL periodically)
+vault write pki_iot/config/urls \
+  issuing_certificates="https://vault.example.local/v1/pki_iot/ca" \
+  crl_distribution_points="https://vault.example.local/v1/pki_iot/crl"
+
+# Role that limits cert subjects to your device GUIDs
+vault write pki_iot/roles/device \
+  allow_any_name=false \
+  allowed_uri_sans="urn:device:*" \
+  allowed_other_sans="" \
+  allow_ip_sans=false \
+  allowed_domains="" \
+  enforce_hostnames=false \
+  key_type=ec key_bits=256 \
+  max_ttl=720h ttl=720h  # 30 days
+```
+
+### Enrollment flow (device CSR → signed cert)
+- Device side
+  - Generate keypair on the device (never export private key).
+  - Create CSR with CN=<GUID> and URI SAN urn:device:<GUID>.
+
+- Server side
+  - Backend verifies a one-time enrollment token (or pre-shared bootstrap secret), calls:
+```bash
+vault write pki_iot/sign/device \
+  csr=@device.csr \
+  uri_sans="urn:device:<GUID>" \
+  ttl=720h > device_cert.pem
+```
+
+### Revocation
+- Immediate kill: your backend stores bad serials; deny in app logic.
+  - CRL: `vault write pki_iot/revoke serial_number="<SERIAL>"`.
+  - Fetch CRL periodically to a local file for Nginx:
+```bash
+curl -fsSL https://vault.example.local/v1/pki_iot/crl -o /etc/nginx/iot.crl
+nginx -s reload
+```
+  - Automate via systemd timer/cron (e.g., every 10–15 min).