Skip to main content
Version: Mosquitto 2.6

Client Certificate Authority Management

2.6
Premium


Client certificates are a digital certificate, which is used by a connecting client to authenticate at a server. The server approves a connection, if the certificate can be validated by a stored client certificate authority.

This feature allows users to manage client CA certificates within the Management Center. This means a user can upload CA certificates to the Management Center and deploy them to a connected broker instances. Future versions will also support generating certificates.

note

If the Certificate Management is not available in the navigation, please check the license and configuration infos at the end of this page.

The Management Center currently supports only X509 certificates

Certificates Overview

To show a list of all currently registered certificates click on the certificates icon in the navigation bar at the left. It is most likely that no certificate is listed on first start since none has been added yet. The following image shows the list with one certificate already uploaded.

Add Certificate

To add a new certificate to the Management Center click on the "Add Certificate" button in the upper right of the Certificates overview page. Here a meaningful name should be specified in the "Descriptive Name" field and a certificate file can be uploaded via a click on the "Choose File" button.

If the uploaded certificate is valid, i.e. is a X509 certificate, detailed information can be viewed by expanding "Certificate Details":

If everything is fine, a click on "Save" navigates back to the Certificates overview page which now lists the newly added certificate.

Deploy / Undeploy Certificate

To deploy (or undeploy) a registered certificate to a connected broker click on the cloud icon at the right of the corresponding row. This opens the deploy / undeploy certificate page which looks like this

To deploy a certificate to a broker instance first select the corresponding connection from the drop-down menu at the top. Then select one or several of the defined listeners to deploy to. If a certificate was already deployed to a listener it will be selected.

When done, a click on "Apply" deploys the certificate to selected listeners of the chosen connection.

To undeploy a certificate simply deselect the corresponding listeners and click "Apply" again.

Repeat these steps for all other connections from the drop-down menu to which this certificate should be deployed or undeployed from. Finally, either click the "Cancel" button or "Certificates" in the navigation path at the top to go back to the overview page. If a certificate was successfully deployed the corresponding broker connections should be listed in the "Used By" column in the certificates overview.

Update Certificate

Updating a certificate is almost the same as adding a new one (See Add Certificate). To update click on the corresponding row of the certificate within the Certificates overview page. This brings up a page which is quite similar to the add-certificate page. Here the name or the certificate file can be changed.

note

It is not allowed to change the certificate file if it is currently deployed to at least one broker. In that case the certificate must first be removed from these brokers before it can be changed.

Delete Certificate

To delete a certificate click on the trashcan icon at the right of the corresponding row in the Certificates overview page.

note

Deleting a certificate will not only deregister the certificate from the Management Center but also removes it from all connected brokers to which it was deployed. Therefore, this action must be confirmed:

If you are not sure simply click on "Cancel" to abort this action, otherwise click "Ok" to proceed. If deletion and removing were successful the overview page should reflect that.

Enable Certificate Management

To enable the Certificate Management feature, make sure you are using the Premium Edition of Mosquitto and that you have the feature enabled in your license.

Also ensure that your config file (specified either by setting the CEDALO_MC_PROXY_CONFIG environment variable or, if not set, using management-center/config/config.json by default) contains the following entry inside the plugins array:

    {
"name": "cert-management"
}

On start-up, the Management Center will print a message that the cert-management plugin is enabled and loaded into the console:

Loaded plugin: "cedalo_cert_management" (Cedalo Certificate Management)

Make sure your broker listener has require_certificateset to true, to be able to upload CAs.