Enhance Your IoT Security with Client Certificate Authentication on HiveMQ Cloud Starter
We are elated to announce a new security enhancement to HiveMQ Cloud Starter — Client Certificate Authentication. With an ever-increasing focus on robust cybersecurity measures, particularly in the world of IoT, this new feature is designed to add a powerful layer of security in our MQTT platform and give users more control to your MQTT operations.
What is Client Certificate Authentication?
Client Certificate Authentication serves as a strict security protocol that authenticates both the client and the server using digital certificates. In this secure environment, you can add your own public key certificate that identifies your Root Certificate Authority (CA), thereby setting up a trusted pathway for data transmission.
This feature offers the following functions to our users:
User-Controlled Public Key Certificates: You can easily upload your own public key certificates, thereby establishing a trusted link with your preferred Root CA.
Automated Trust Verification: After setting up your public key certificate, our platform will automatically authenticate the credentials of every device or user attempting to interact with your MQTT ecosystem.
Built-In MQTT Platform Security: This feature is natively integrated into our MQTT platform, thereby ensuring secure, end-to-end messaging. HiveMQ Cloud Starter offers this functionality as part of our MQTT Platform offering to our users.
Scalability: Whether your IoT operations involve a handful of devices or an extensive network, Client Certificate Authentication scales to meet your security needs without affecting performance as the clients are already authenticated at the transport layer.
What Are the Benefits to Our Users?
This feature offers the following benefits to our users.
Advanced Security: Adding this layer of security ensures that only verified clients can access your MQTT topics and messages, thereby dramatically reducing the risk of unauthorized intrusion. This is in addition to the already existing role-based access credentials and JWT authentication. Since the authentication happens at the transport layer, this method is quite fast. Also, in contrast to using server certificates only, the use of client certificates has the following advantages:
Verification of the identity of the MQTT clients.
Lockout invalid MQTT clients before MQTT CONNECT messages are sent.
Regulatory Compliance: If your organization is subject to rigorous data protection laws, this feature enables you to easily meet compliance requirements.
Operational Streamlining: The automatic validation of client certificates negates the need for manual authentication processes, thus saving time and operational effort.
User Empowerment: This feature lets you take charge of your MQTT ecosystem’s security, giving you the power to decide which Root CAs are to be trusted.
Increased Trust and Reliability: Implementing Client Certificate Authentication means you can have greater confidence in the integrity and security of your data communications, enhancing the reliability of your entire MQTT ecosystem.
You can learn more about client certificates in one of our previous blogs, X509 Client Certificate Authentication.
How do I Use Client Certificate Authentication?
The Client Certificate Authentication can be found under the Access Management in your cluster settings.
A Simple Demo
In this blog, we will use self-signed certificates. This allows you to replicate the process for your personal testing needs without purchasing a certificate or going through an internal certificate-issuing process. To create the necessary server and client certificates and the corresponding keystores, we will use the keytool and OpenSSL command line tools.
Creating Your Certificates
To create a certificate, you need generate a PEM-based client certificate.
openssl req -x509 -newkey rsa:2048 -keyout mqtt-client-key-demo.pem -out mqtt-client-cert-demo.pem -days 360
Copy Your Certificate in Your Cloud Console
After you have a certificate, the next step is to copy the right certificate in your Starter Cluster. For this, you need to copy mqtt-client-cert-demo.pem into the console. You can either simply drag the file over the cloud console or use the following command and copy the contents
cat mqtt-client-cert-demo.pem
You also need to give your certificate a name.
Once you add the certificate, your cluster will restart with the new authentication settings.
Connect Your Clients Using the Certificates
For this blog, we are using MQTT-CLI for a simple demonstration.
Subscribe to a test topic: In a new terminal window, type:
a.mqtt shb.
sub -h <your cloud cluster URL> -p <your cloud cluster port> –-secure --cert=<your certificate path> --key=<your key> -t <your topic>- For the demo, we used sub -h test-o53286.a01.euc1.aws.hivemq.cloud -p 8883 –-secure --cert=mqtt-client-cert-demo.pem --key=mqtt-client-key-demo.pem -t ‘test/#’Publish to a test topic: In another new terminal window, type:
a.
mqtt shb.
con -h <your cloud cluster URL> -p <your cloud cluster port> –-secure --cert=<your certificate path> --key=<your key> path>. For the demo, we used con -h test-o53286.a01.euc1.aws.hivemq.cloud -p 8883 –-secure --cert=mqtt-client-cert-demo.pem --key=mqtt-client-key-demo.pemc.
Pub -t ‘test/1’ -m message
You will see the message published in the subscribe window.
Summary
Client certificate authentication provides an additional way to authenticate your clients. It has some advantages over other methods, which makes this a preferred method for some use cases. We invite you to explore this new feature and discover how it benefits your use cases.
Sign up now with Cloud Starter and grab $100 worth of free credits upon the creation of the first Starter cluster.
Shashank Sharma
Shashank Sharma is a product marketing manager at HiveMQ. He is passionate about technology, supporting customers, and enabling developer-centric workflows. He focuses on the HiveMQ Cloud offerings and has previous experience in application software tooling, autonomous driving, and numerical computing.
