MQTT Client to MQTT Broker Certificate Validation Process

What does this article cover:

This article just explains how the MQTT client verifies certificates with the MQTT broker.   This is used to provide a better understanding on how the validation process work.  The goal of this article to give the users a better understanding the necessary components to setup a valid certificate exchange between MQTT client and MQTT broker.

Validation Process:

When a client connects to a MQTT broker, it needs to validate the certificate provided by the broker. If the certificate is part of a chain, it means we also must validate the chain. There are multiple configurations that make this possible.

Looking at a MQTT client initialization workflow, a simple chart looks like this:

• client reaches out to server
• server accepts request and sends necessary information required for connection
• client sees certs as a part of connection metadata and must make the active decision to trust the client
• client verifies the information and accepts/rejects the connection

For the client to accept the connection, we need to validate the certificate. Here are all the possible scenarios:

• Broker certificate is the root of the chain (standalone certificate):
  • Server sends certificate, if the client trusts the certificate and certificate is valid, we create the connection

• Broker certificate is a leaf of the root chain:
  • Server sends the leaf certificate; the client needs to know about the full chain leading up the certificate. If we don't know about the full chain, we can't validate it.

• Server sends the entire certificate chain:
  • The client only needs to know about the root certificate. The chain can be verifiable on its own and we as clients just need to know if we're willing to trust the chain. If we know the root certificate, it's equivalent to saying we trust the chain.