Skip to main content
Version: Mosquitto 2.7

Client Certificate Authority Management

Client certificates are a popular way of adding an extra layer of security to your client authentication. It can either be added on top or instead of the regular authentication provided by the dynamic security feature using username and password. While connecting, a client identifies using a client certificate. The broker has stored a client certificate authority and allows a connection, if the client certificate gets validated, the connection is allowed.

The Client CA Management allows the upload of client CAs to the broker.

This plugin provides a Mosquitto control API which manages client CA certificates for certificate based authentication/validation. The topic of the plugins control API is $CONTROL/certificate-management/v1. Currently, supported commands offered by the API are insertCACertificate, which can be used to extend the existing Certificate Authority (CA) Chain or just the Root CA by an additional signing/validating certificate. To get rid of a previously added CA cert, the deleteCACertificate command can be used.

Plugin configuration

To enable the plugin it must be loaded into the broker with, by adding the following to your mosquitto.conf:

plugin /usr/lib/

In addition to enable the brokers internal $CONTROL/broker/v1 API we need to add:

enable_control_api true

This is required to determine the listeners identifier, where the changes should be applied to.

A sample broker configuration could look like:

listener 1883 # listener 1 to manage the CA certificates (local connection only)

listener 8883 # listener 2 to be managed, accepting the client connections
certfile server.crt
keyfile server.key
capath ca_path
require_certificate true

allow_anonymous true
enable_control_api true

plugin /usr/lib/

The path of the capath configuration should contain at least a root CA cert.

Note: The cafile configuration with a single PEM file containing the CA chain is currently not supported for this command.

To add a new CA certificate to the running broker instance you can either use mosquitto_ctrl or initiate a request-response API call, which is described below.