Mosquitto MQTT and OpenSSL

0
votes

I've been working with OpenSSL and mosquitto MQTT and I have a question.

So far I only have one client. But how can I connect several clients simultaneously with different certificates to the same MQTT broker?

And how does it work in case of revoking the certificate of one of the clients?

Is it necessary to restart the broker?

Does anyone have an example?

I am using SSL/TLS for secure connection and for this I use the following files:

ca.key
ca.crt

server:
ca.crt
server.key
server.crt

client:
ca.crt
client.key
client.key

and the configuration file is like this:

#Extra Listeners
listener 8883
cafile /Users/Documents/certs/ca.crt
keyfile /Users/Documents/certs/server.key
certfile /Users/Documents/certs/server.crt
#client certifcate settings
require_certificate true
use_identity_as_username true

Thank you!

1
sslopensslmqtttls1.2mosquitto

1 Answers

1
votes

For the fist question, to have multiple clients, you just need to make sure each client has it's own certificate with a unique subject value.

You revoke a certificate by getting the Certificate Authority to generate a new certificate revocation list file and you point mosquitto at that file using the crlfile option in the config file. e.g.

#Extra Listeners
listener 8883
cafile /Users/Documents/certs/ca.crt
keyfile /Users/Documents/certs/server.key
certfile /Users/Documents/certs/server.crt
crlfile /Users/Documents/certs/revoked.crl
#client certifcate settings
require_certificate true
use_identity_as_username true

Man page section:

crlfile file_path

If you have require_certificate set to true, you can create a certificate revocation list file to revoke access to particular client certificates. If you have done this, use crlfile to point to the PEM encoded revocation file.

Since the man page doesn't mention that the crlfile will be reloaded on a signal it implies you will need to restart mosquitto each time you revoke a certificate.