Client certificates are a popular way of adding an extra layer of security to your client authentication. It can either be added on top or instead of the regular authentication provided by the dynamic security feature using username and password. While connecting, a client identifies using a client certificate. The broker has stored a client certificate authority and allows a connection, if the client certificate gets validated, the connection is allowed.
The Client CA Management allows the upload of client CAs to the broker.
This plugin provides a Mosquitto control API which manages client CA certificates for
certificate based authentication/validation.
The topic of the plugins control API is
Currently, supported commands offered by the API are
can be used to extend the existing Certificate Authority (CA) Chain or just the
Root CA by an additional signing/validating certificate. To get rid of a
previously added CA cert, the
deleteCACertificate command can be used.
To enable the plugin it must be loaded into the broker with, by adding the
following to your
In addition to enable the brokers internal
$CONTROL/broker/v1 API we need to
This is required to determine the listeners identifier, where the changes should be applied to.
A sample broker configuration could look like:
listener 1883 127.0.0.1 # listener 1 to manage the CA certificates (local connection only)
listener 8883 # listener 2 to be managed, accepting the client connections
The path of the
capath configuration should contain at least a root CA cert.
cafile configuration with a single PEM file containing the CA
chain is currently not supported for this command.
To add a new CA certificate to the running broker instance you can either use
mosquitto_ctrl or initiate a request-response API call, which is described