How to enable multiple client certificates on a Cloud Starter cluster for authentication
Use a single Certificate Authority (CA) to sign all client certificates. HiveMQ can then be configured to trust the CA, allowing any client certificate signed by that CA to be accepted. This way, you only need to upload the CA certificate to HiveMQ.
Instructions
Here are the steps to set up and test the MQTT client using client certificates with HiveMQ Cloud Starter:
Generate CA Certificate and Client Certificates:
Run the following script to generate the CA certificate (
ca_cert.pem
), client private keys, and client certificate signing requests (CSRs):
#!/usr/bin/env bash
passphrase='changeme'
subject_base="/C=US/ST=California/L=San Francisco/O=Fantasy Corp"
num_clients=3 # Define the number of clients
# Generate CA certificate
openssl genpkey -algorithm RSA -out ca_key.pem
openssl req -x509 -new -nodes -key ca_key.pem -sha256 -days 365 -out ca_cert.pem \
-subj "$subject_base/CN=Fantasy CA"
# Loop to generate client keys and certificate signing requests (CSRs)
for i in $(seq 1 $num_clients); do
client="client${i}"
openssl genpkey -algorithm RSA -out ${client}_key.pem
openssl req -new -key ${client}_key.pem -out ${client}_csr.pem -subj "$subject_base/CN=${client}"
openssl x509 -req -in ${client}_csr.pem -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial -out ${client}_cert.pem -days 360 -sha256
done
echo "Certificates generated for client1 to client${num_clients}"
This script generates the CA certificate (
ca_cert.pem
), three client private keys (client1_key.pem
,client2_key.pem
,client3_key.pem
), and their corresponding client certificates (client1_cert.pem
,client2_cert.pem
,client3_cert.pem
).
Upload CA Certificate to HiveMQ Cloud Starter:
Log in to your HiveMQ Cloud Starter dashboard.
Navigate to Access Management > Client Certificate.
Upload the
ca_cert.pem
file under Key to establish trust for the client certificates signed by this CA.
Test MQTT Client Subscription with Client Certificate:
Install the
mqtt-cli
command-line tool or use a suitable MQTT client that supports client certificate authentication.Use the following command to subscribe to MQTT topics using client certificate authentication:
mqtt subscribe \
--topic "#" \
--host starter-broker.a01.euc1.aws.hivemq.cloud \
--port 8883 \
--secure \
--cert client1_cert.pem \
--key client1_key.pem \
--identifier client1 \
--showTopics \
--jsonOutput \
--debug \
--verbose
Adjust
client1_cert.pem
andclient1_key.pem
with the actual paths to the generated client certificate and key files.Modify
--host
and other parameters as per your HiveMQ Cloud Starter configuration.
Verify MQTT Client Connection:
Run the MQTT subscribe command in your terminal.
The command connects to the HiveMQ broker using the specified client certificate (
client1_cert.pem
andclient1_key.pem
).It subscribes to all topics (
#
) and displays subscribed topics in JSON format with debug and verbose outputs.
Monitor Subscription:
Observe the terminal output to ensure that the MQTT client successfully connects to the broker and subscribes to topics.
Check for any errors or warnings in the debug output (
--debug
) that might indicate issues with the client certificate setup.
By following these steps, you can set up and test MQTT client authentication using client certificates with HiveMQ Cloud Starter.
Adjust paths, parameters, and configurations as necessary based on your specific environment and requirements.