Generate client x.509 certificate with subject alternative name (SAN)

In an ESE pipeline, you can add preprocessing steps before authentication and before authorization.

The X.509 preprocessor makes it possible to use information that is provided in the X.509 certificate of a connecting MQTT client for authentication and authorization of the client in HiveMQ.

Among others, The HiveMQ X.509 preprocessor can extract values from the following X.509 certificate field:

• Common Names from the Subject Alternative Names extension: Additional names for the subject of the certificate. This field can contain multiple entries. The OID for this field is 2.5.29.17.

This article provides an example of how to generate a client certificate with SAN.

\uD83D\uDCD8 Instructions

1. Prepare an OpenSSL configuration file req.cnf:

   [req]
   distinguished_name = req_distinguished_name
   req_extensions = v3_req
   prompt = no
   
   [req_distinguished_name]
   C = DE
   ST = Bayern
   L = Landshut
   O = HiveMQ GmbH
   CN = client1
   
   [v3_req]
   subjectAltName = dirName:dir_sect
   
   [dir_sect]
   C = DE
   O = HiveMQ GmbH
   OU = HiveMQ Support
   CN = client1

2. Generate the client certificate using the OpenSSL configuration file req.cnf:

   #!/usr/bin/env bash
   
   #Create a new Certificate Signing Request (CSR) and a new Key file
   openssl req \
     -new \
     -out 'client1.csr' \
     -newkey rsa:2048 \
     -nodes \
     -sha256 \
     -keyout 'client1-key.temp' \
     -config 'req.cnf'
   
   #verify the CSR
   openssl req -text -noout -verify -in 'client1.csr'
   
   #write RSA key
   openssl rsa -in 'client1-key.temp' -out 'client1-key.pem'
   
   #generate client certificate using the CSR and the OpenSSL configuration file
   openssl x509 -req -in 'client1.csr' \
     -signkey 'client1-key.pem' \
     -out 'client1-cert.pem' \
     -days 365 \
     -extensions v3_req \
     -extfile req.cnf
   
   #convert the client certificate from PEM to CRT
   openssl x509 -outform der \
     -in 'client1-cert.pem' -out 'client1-cert.crt'
     
   #import the client certificate to the broker's truststore
   printf "yes\n" |keytool -import -file 'client1-cert.crt' \
     -alias 'client1' \
     -keystore 'broker-truststore.jks' \
     -storepass ${brokerTruststorePassword}

   where:
   client1 is an example client name;
   broker-truststore.jks is an example broker’s trust store file path;
   ${brokerTruststorePassword} is an example variable that holds the password of the broker’s trust store.

3. Example test command:

   mqtt sh
   mqtt> connect --host localhost --port 8883 \
     --cafile server.pem \
     --cert client1-cert.pem \
     --key client1-key.pem

4. Example X509 ESE preprocessor configuration

   <x509-preprocessor prefix="{{" postfix="}}">
           <x509-extraction>
               <x509-field>subject-alternative-common-names</x509-field>
               <ese-variable>string-4</ese-variable>
           </x509-extraction>
       </x509-extractions>
   </x509-preprocessor>

5. Example ESE Logging Preprocessor configuration:

   <logging-preprocessor>
       <message>ESE-Variable string-4(subject-alternative-common-names): ${string-4}</message>
       <level>debug</level>
       <name>com.example.logger</name>
   </logging-preprocessor>

\uD83D\uDCCB Related articles

• Page:
  Export HiveMQ Metrics from either Prometheus or a Grafana Datasource
• Page:
  Understanding Database Caching and When to Modify Cache Settings
• Page:
  How HiveMQ Enterprise Security Extension Improves Resilience with Caching and Circuit Breakers
• Page:
  Disaster recovery runbook for Kubernetes deployment
• Page:
  Find Grafana Datasource ID by Name