Another popular way of authenticating clients is via client certificates and can be use as in addition or as an alternative to using user name and password authentication.
Client certificates play a key role in many mutual authentication designs, providing strong assurances of a requester’s identity. –Wiki
A client certificate identifies the client just like the server certificate identifies the server.
Normally certificates are created and distributed to each client that connects to the server/broker that requires them.
However you can share a client certificate between clients.
As with username and password authentication the broker dictates whether or not a clients need to supply a certificate.
You can use certificates in combination with username and password authentication.
Mosquitto Broker Configuration
The main two settings are:
- require_certificates – Main setting tells client it needs to supply a certificate when set to true. Default false
- use_identity_as_username– – When set to true it tells mosquitto not to use the password file but to take the username from the certificate (common name given to certificate when you create it). Default false
- crlfile – You can create a certificate revocation file that is used to revoke a client certificate
Creating Self Signed Client Certificates
The client and server must use the same CA (certificate Authority) for the client and server certificates.
You create the client certificates using the same process as you used for creating a server certificate.
- Create a client key don’t password protect.
- Create a client certificate request using the key.
- Use the CA key to sign the client certificate request from step 2.
You need an existing CA certificate and private key which you get when you follow the steps for creating your own self signed server certificate.
You need to use the same CA for the client certificates as the server certificate, and the broker needs to use SSL.
This is because client certificates require an encrypted connection.
If you don’t have a CA certificate then you need create one using the following:
First create a key for the CA
Command is: openssl genrsa -des3 -out ca.key 2048
Note: it is OK to create a password protected key for the CA.
Next: Create a certificate for the CA using the CA key that we created in step 1
Command is: openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
If you have followed the tutorial on creating server certificates then your folder should look like the one below:
The first step is to create a client private key.
The command is:
openssl genrsa -out client.key 2048
Next create a certificate request and use the client private key to sign it.
The command is:
openssl req -new -out client.csr -key client.key
You will be presented with a form that you need to complete.
The most important entry is the common name. This name can be used by the broker to identify the client in place of a username.
Normally this certificate would be sent to a Certificate authority, but we are our own Certificate authority so we complete the request to create a client certificate
Now we complete the request and create a client certificate. The command is:
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360
This is now what our directory looks like
Using Client Certificates
To use client certificates the client requires three files:
- ca.crt – The Certificate authority certificate
- client.crt – The client certifcate file
- client.key – The client private key
Publishing using Mosquitto_pub tool
The command is:
mosquitto_pub --cafile C:\ssl\ca.crt --cert C:\ssl\client.crt --key C:\ssl\client.key -d -h 192.168.1.157 -p 8883 -t test -m "hello there"
Note: You need to use the server name that is on the server certificate. If I use the IP address instead I get this error.
Publish Using Python
If you use Python you need to set the TLS settings using:
Publish Using Node-Red
On Node red you need to enable the SSL/TLS option in the broker settings.
and then upload the client files as shown in the screen shot below:
Mosquitto Broker Connection
When the client connects to the broker and the use_identity_as_username is true then this is what you see:
Example Mosquitto configuration file:
port 1883 log_type error log_type notice log_type information log_type debug #allow_anonymous false #password_file /etc/mosquitto/pass.txt #Extra Listeners listener 8883 #ssl settings cafile /home/steve/mos/certs/ca.crt keyfile /home/steve/mos/certs/server.key certfile /home/steve/mos/certs/server.crt #client certifcate settings require_certificate true use_identity_as_username true
CA= Certificate Authority
Private Key = An encryption key that isn’t shared and needs to be stored securely
Public Key= An encryption key that is shared and doesn’t needs to be stored securely.
Certificate Request = An application for a certificate made to a certificate authority. Like a passport application
To save you typing I’ve created two Linux shell scripts that run the commands and create server and client certificates and keys as in this tutorial and the server certificate tutorial.
- SSL and SSL Certificates Explained For Beginners
- Quick Guide to The Mosquitto.conf File With Examples
- Configuring and Testing MQTT Topic Restrictions
- Mosquitto username and Password Authentication Configuration Guide