TLS Certificates for Client Authentication

Owned by John Laird
Last updated: Jan 30, 2024 by Emma Fullilove (Deactivated)
2 min read

AUTOSOL does not provide this information for use as a source of security advice or best practices.  The use of these examples is done at your own discretion and risk and with agreement that you will be solely responsible for any damage to your computer system or loss of data that results from such activities.

Steps for Creating Certificates for Client Authentication

For this step, the client (the eACM MQTT app, Bridge, Edge Manager, etc.) authenticates to the server with a certificate before the TLS connection is fully established. This takes place after the server has authenticated to to the client with its own (server) certificate.

All of the steps under “Steps for Creating Certificates for Server Authentication” must be completed first before proceeding.

Create one key pair and one certificate for each uniquely identifiable client desired.

Whether you create one client certificate to share among your MQTT clients -or- each MQTT client has its own certificate is dictated by your organization’s IT security posture.

Repeat this process for each key pair and client certificate that your logistics and security posture dictate.

The outputs for this process are:

  • client.key - to be kept private to the MQTT client(s) that use the key pair for authentication

  • client.pem - public client certificate used for authenticating to the server (the MQTT broker)

The inputs for this process are:

  • Password for client.key

  • Common Name (CN) to identify your client certificate (optional). MQTT brokers can be configured to authenticate using the CN in the Subject field.

Create client.key. You will be prompted for a password.

openssl genrsa -aes256 -out client.key 2048

Create the certificate signing request for the client (the MQTT client), client.csr. If you created ca.key on a different machine, you will need to copy client.csr to that machine.

You will be prompted for the password used when creating client.key.

If your broker is configured to authenticate based on the CN section of the Subject field, substitute MyEACM for something else that meaningfully identifies that particular MQTT client or its permissions role on the broker.

openssl req -out client.csr -key client.key -new -subj "/C=US/ST=Texas/O=THIS_COMPANY INC/CN=MyEACM/emailAddress=name@company.com" --outform PEM

Create the client certificate (client.pem). The step must take place where you have your ca.key. The client.csr and ca.pem files are also required. If you used a password when creating your ca.key, you will be prompted for it.

openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem -days 3650 --outform PEM

For assistance, please submit a ticket via our Support Portal, email autosol.support@autosoln.com or call 281.286.6017 to speak to a support team member.