[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [mosquitto-dev] Accepting connection based on client's certificate
|
<colin.helliwell@xxxxxxxxxxxxxx> writes:
> FWIW, I'm doing (what it seems is) something similar with a different server/client system.
> The server has a fully trusted certificate; and its own private
> CA. Certificates (using a client 'identifier' in the CN) are issued to
> the client against the private CA; the server is configured to use
> *only* its own CA in validation of clients. [I don't know if Mosquitto
> can be locked down like this]
> Hence the client can authenticate the server, and the server can authenticate the clients to which *it* has issued certificates. Plus, from the CN, it can identify who the client is, for ACL-style things.
> And the server can also revoke the clients' certs, if it's known that they've been compromised. (I ship them as a password-protected PKCS#12 file).
You have to explicitly configure the trust anchor set, with no default
to use the system set, so yes using only your CA is quite easy.
Beware that in mosquitto the concept for setting the trust anchor set to
verify client certs is conflated with running the server in TLS mode.
This is then messy if what you are doing is using TLS and passwords.
