0

I have two MQTT server environments: PROD and PILOT. These environments each have their own separate certificate authorities. I have one client which can use either CA certificate to connect to each environment. Is it possible to combine these two CA files into a single file so that the CA file need not be changed in the client when I change the environment?

Sample client:

mosquitto_sub -h server.com  --cafile /path/to/ca.file

Please note that the CA files contains intermediate CA as well. Please refer another post where I mention this.

Kiran G
  • 67
  • 1
  • 2
  • 8

1 Answers1

1

From the man page:

--cafile
Define the path to a file containing PEM encoded CA certificates that are trusted. Used to enable SSL communication.

Note the certificates in plural form :-)

Your file should only contain trust-anchors - the Root CA certificates. The other certificates in the chain should be sent by the server. You should consider reconfiguring your server so that the whole chain is sent in line with the TLS protocol (read certificate_list here).

While it often works, placing intermediate certificates in the trust-anchors store doesn't help matters. If you were to renew the intermediate (which happens more often than the root) then you will need to replace the intermediate in all your clients. Might not be an issue in your case, but in the real-world that is a major headache. Also, depending on the libraries used and how the developers wrote the client, it may not check revocation of the intermediate if it is used as a trust-anchor.

The file pointed to by --cafile should be a concatenation of PEM encoded Root CA certificates.

garethTheRed
  • 1,997
  • 13
  • 20
  • "Note the certificates in plural form :-)" That means it can have multiple CA certificates right? So I can keep the PROD and PILOT certificates in the same CA file right? And you recommend moving the intermediate certificate to the server. Please confirm – Kiran G Jun 29 '21 at 07:16
  • 1
    Absolutely. The idea behind these files is to store all the Root CA certificates that you trust in that application (other applications allow you to point to a directory where the certificates are in individual files). You then should move the intermediate to the server. Usually, this is the same file as the server's certificate - again as a PEM, with the server cert 1st and intermediate concatenated in order. – garethTheRed Jun 29 '21 at 08:33