Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Accepting connection based on client's certificate 
FWIW, I'm doing (what it seems is) something similar with a different server/client system.
The server has a fully trusted certificate; and its own private CA. Certificates (using a client 'identifier' in the CN) are issued to the client against the private CA; the server is configured to use *only* its own CA in validation of clients. [I don't know if Mosquitto can be locked down like this]
Hence the client can authenticate the server, and the server can authenticate the clients to which *it* has issued certificates. Plus, from the CN, it can identify who the client is, for ACL-style things.
And the server can also revoke the clients' certs, if it's known that they've been compromised. (I ship them as a password-protected PKCS#12 file).

Back to the top