MQTT Client to MQTT Broker Certificate Validation Process

What does this article cover:

This article explains how the MQTT client verifies certificates with the MQTT broker. This is used to provide a better understanding of how the validation process works.  The goal of this article is to give the users a better understanding of the necessary components to set up a valid certificate exchange between the MQTT client and the MQTT broker.

Validation Process:

When a client connects to an MQTT broker, it needs to validate the certificate provided by the broker. If the certificate is part of a chain, it means we also must validate the chain. There are multiple configurations that make this possible.

Looking at an MQTT client initialization workflow, a simple chart looks like this:

• A client reaches out to the server
• The server accepts the request and sends the necessary information required for connection
• The client sees certs as a part of connection metadata and must make the active decision to trust the client
• The client verifies the information and accepts/rejects the connection

For the client to accept the connection, we need to validate the certificate. Here are all the possible scenarios:

• Broker certificate is the root of the chain (standalone certificate):
  • The server sends a certificate, if the client trusts the certificate and the certificate is valid, we create the connection

• Broker certificate is a leaf of the root chain:
  • The server will send a leaf certificate; the client needs to know about the full chain leading up to the certificate.
    • If we don't know about the full chain, we can't validate it.

• Server sends the entire certificate chain:
  • The client only needs to be aware of the root certificate. The chain can be verified on its own, and we, as clients, just need to know if we're willing to trust the chain.
    • If we know the root certificate, it's equivalent to saying we trust the chain.