I've been working with OpenSSL and mosquitto MQTT and I have a question.
So far I only have one client. But how can I connect several clients simultaneously with different certificates to the same MQTT broker?
And how does it work in case of revoking the certificate of one of the clients?
Is it necessary to restart the broker?
Does anyone have an example?
I am using SSL/TLS for secure connection and for this I use the following files:
ca.key
ca.crt
server:
ca.crt
server.key
server.crt
client:
ca.crt
client.key
client.key
and the configuration file is like this:
#Extra Listeners
listener 8883
cafile /Users/Documents/certs/ca.crt
keyfile /Users/Documents/certs/server.key
certfile /Users/Documents/certs/server.crt
#client certifcate settings
require_certificate true
use_identity_as_username true
Thank you!
For the fist question, to have multiple clients, you just need to make sure each client has it's own certificate with a unique subject value.
You revoke a certificate by getting the Certificate Authority to generate a new certificate revocation list file and you point mosquitto at that file using the crlfile
option in the config file.
e.g.
#Extra Listeners
listener 8883
cafile /Users/Documents/certs/ca.crt
keyfile /Users/Documents/certs/server.key
certfile /Users/Documents/certs/server.crt
crlfile /Users/Documents/certs/revoked.crl
#client certifcate settings
require_certificate true
use_identity_as_username true
Man page section:
crlfile file_path
If you have require_certificate set to true, you can create a certificate revocation list file to revoke access to particular client certificates. If you have done this, use crlfile to point to the PEM encoded revocation file.
Since the man page doesn't mention that the crlfile will be reloaded on a signal it implies you will need to restart mosquitto each time you revoke a certificate.