How to enable multiple client certificates on a Cloud Starter cluster for authentication

Use a single Certificate Authority (CA) to sign all client certificates. HiveMQ can then be configured to trust the CA, allowing any client certificate signed by that CA to be accepted. This way, you only need to upload the CA certificate to HiveMQ.

Instructions

Here are the steps to set up and test the MQTT client using client certificates with HiveMQ Cloud Starter:

  1. Generate CA Certificate and Client Certificates:

  • Run the following script to generate the CA certificate (ca_cert.pem), client private keys, and client certificate signing requests (CSRs):

#!/usr/bin/env bash passphrase='changeme' subject_base="/C=US/ST=California/L=San Francisco/O=Fantasy Corp" num_clients=3 # Define the number of clients # Generate CA certificate openssl genpkey -algorithm RSA -out ca_key.pem openssl req -x509 -new -nodes -key ca_key.pem -sha256 -days 365 -out ca_cert.pem \ -subj "$subject_base/CN=Fantasy CA" # Loop to generate client keys and certificate signing requests (CSRs) for i in $(seq 1 $num_clients); do client="client${i}" openssl genpkey -algorithm RSA -out ${client}_key.pem openssl req -new -key ${client}_key.pem -out ${client}_csr.pem -subj "$subject_base/CN=${client}" openssl x509 -req -in ${client}_csr.pem -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial -out ${client}_cert.pem -days 360 -sha256 done echo "Certificates generated for client1 to client${num_clients}"
  • This script generates the CA certificate (ca_cert.pem), three client private keys (client1_key.pem, client2_key.pem, client3_key.pem), and their corresponding client certificates (client1_cert.pem, client2_cert.pem, client3_cert.pem).

  1. Upload CA Certificate to HiveMQ Cloud Starter:

  • Log in to your HiveMQ Cloud Starter dashboard.

  • Navigate to Access Management > Client Certificate.

  • Upload the ca_cert.pem file under Key to establish trust for the client certificates signed by this CA.

  1. Test MQTT Client Subscription with Client Certificate:

  • Install the mqtt-cli command-line tool or use a suitable MQTT client that supports client certificate authentication.

  • Use the following command to subscribe to MQTT topics using client certificate authentication:

mqtt subscribe \ --topic "#" \ --host starter-broker.a01.euc1.aws.hivemq.cloud \ --port 8883 \ --secure \ --cert client1_cert.pem \ --key client1_key.pem \ --identifier client1 \ --showTopics \ --jsonOutput \ --debug \ --verbose
  • Adjust client1_cert.pem and client1_key.pem with the actual paths to the generated client certificate and key files.

  • Modify --host and other parameters as per your HiveMQ Cloud Starter configuration.

  1. Verify MQTT Client Connection:

  • Run the MQTT subscribe command in your terminal.

  • The command connects to the HiveMQ broker using the specified client certificate (client1_cert.pem and client1_key.pem).

  • It subscribes to all topics (#) and displays subscribed topics in JSON format with debug and verbose outputs.

  1. Monitor Subscription:

  • Observe the terminal output to ensure that the MQTT client successfully connects to the broker and subscribes to topics.

  • Check for any errors or warnings in the debug output (--debug) that might indicate issues with the client certificate setup.

By following these steps, you can set up and test MQTT client authentication using client certificates with HiveMQ Cloud Starter.

Adjust paths, parameters, and configurations as necessary based on your specific environment and requirements.