Skip to main content
Version: Mosquitto 3.0

CA file management (mTLS)

2.6
Premium


Client certificates are a digital certificate, which is used by a connecting client to authenticate at a server. The server approves a connection, if the certificate can be validated by a stored client certificate authority.

This feature allows users to manage client CA certificates within a project. This means a user can upload CA certificates to a broker. Future versions will also support generating certificates.

This view is analog to the Certificates view in the project settings. The broker certificates menu allows to upload to exactly the broker in this menu, while inthe project settings you can deploy to any broker in the project.

Certificates Overview

To show a list of all currently deployed CA certificates click on the certificates icon in the navigation bar at the left. It is most likely that no certificate is listed on first start since none has been added yet. The following image shows the list with one certificate already uploaded.

Add CA Certificate

Adding a certificate is only possible if you have a broker, which is configured with mTLS (client certificate access).

To add a new certificate click on the "Add Certificate" button in the upper right of the certificates overview page. Here a meaningful name should be specified in the "Name" field and a certificate file can be uploaded via a click on the "edit" button on the right.

If the uploaded certificate is valid, i.e. is a X509 certificate, detailed information can be viewed in the "Certificate Summary"

If everything is fine, click on "Deploy Certificate", which allows you to select the broker and port to deploy to. Only a port with "Require Certificate" enabled will allow the delpoyment.

When done, a click on "Deploy" deploys the certificate to selected listeners of the chosen broker.

Delete Certificate

To delete a certificate click on the trashcan icon at the right of the corresponding row in the Certificates overview page.

note

Deleting a certificate will remove it from all connected brokers to which it was deployed. Therefore, this action must be confirmed.

If you are not sure simply click on "Cancel" to abort this action, otherwise click "Ok" to proceed. If deletion and removing were successful the overview page should reflect that.