Client Certificate Authority Management
Client certificates are a popular way of adding an extra layer of security to your client authentication. It can either be added on top or instead of the regular authentication provided by the dynamic security feature using username and password. While connecting, a client identifies using a client certificate. The broker has stored a client certificate authority and allows a connection, if the client certificate gets validated, the connection is allowed.
The Client CA Management allows the upload of client CAs to the broker.
This plugin provides a Mosquitto control API which manages client CA certificates for
certificate based authentication/validation.
The topic of the plugins control API is $CONTROL/certificate-management/v1
.
Currently, supported commands offered by the API are insertCACertificate
, which
can be used to extend the existing Certificate Authority (CA) Chain or just the
Root CA by an additional signing/validating certificate. To get rid of a
previously added CA cert, the deleteCACertificate
command can be used.
Plugin configuration
To enable the plugin it must be loaded into the broker with, by adding the
following to your mosquitto.conf
:
plugin /usr/lib/cedalo_certificate_management.so
In addition to enable the brokers internal $CONTROL/broker/v1
API we need to
add:
enable_control_api true
This is required to determine the listeners identifier, where the changes should be applied to.
A sample broker configuration could look like:
listener 1883 127.0.0.1 # listener 1 to manage the CA certificates (local connection only)
listener 8883 # listener 2 to be managed, accepting the client connections
certfile server.crt
keyfile server.key
capath ca_path
require_certificate true
allow_anonymous true
enable_control_api true
plugin /usr/lib/cedalo_certificate_management.so
The path of the capath
configuration should contain at least a root CA cert.
Note: The cafile
configuration with a single PEM file containing the CA
chain is currently not supported for this command.
To add a new CA certificate to the running broker instance you can either use
mosquitto_ctrl
or initiate a request-response API call, which is described
below.