ApsaraMQ for MQTT allows you to use X.509 certificates for mutual authentication. Server certificates and device certificates are used to authenticate ApsaraMQ for MQTT brokers and clients. This ensures secure and reliable communication between the brokers and clients. This topic describes how to implement certificate-based authentication on ApsaraMQ for MQTT clients.
Limits
One-way authentication: supported by all types of instances.
Mutual authentication: supported only by Enterprise Platinum Edition instances.
One-way authentication
Authenticate brokers on clients
ApsaraMQ for MQTT clients use server certificates to authenticate ApsaraMQ for MQTT brokers. When a client initiates a request to connect to a broker, the server certificate is automatically issued to the client for validation during the handshake. The client can connect to the broker only if the server certificate passes validation.
Procedure
If you use an Enterprise Platinum Edition instance, you can perform the following operations only after you switch the authentication mode of the instance to one-way authentication. For other types of instances, one-way authentication is automatically supported.
Log on to the ApsaraMQ for MQTT console. In the left-side navigation pane, click Instances.
In the top navigation bar, select the region where the instance that you want to manage resides. On the Instances page, click the instance name to go to the Instance Details page.
In the left-side navigation pane, choose .
On the page that appears, click One-way Authentication. In the message that appears, read the message and click OK. Then, wait until the broker is restarted.
Validate server certificates
The following table describes the download links for sample code used to validate server certificates.
Programming language | Download link |
Java | |
Python | |
C | |
.NET | |
JavaScript | |
iOS |
Mutual authentication
Authenticate brokers on clients
ApsaraMQ for MQTT clients use server certificates to authenticate ApsaraMQ for MQTT brokers. A client can connect to a broker only if the server certificate passes validation. To use a server certificate, you must purchase or issue the certificate, host the certificate in Certificate Management Service, and then restart the ApsaraMQ for MQTT instance for the certificate to take effect.
Authenticate clients on brokers
ApsaraMQ for MQTT brokers use device certificates to authenticate ApsaraMQ for MQTT clients. When a client initiates a request to connect to a broker, the client interacts with the broker based on TLS 1.2. During the interaction process, the client passes the device certificate to the broker and the broker validates the device certificate based on the Certificate Authority (CA) certificate that the client registered with the broker. The client can connect to the broker only if the device certificate passes validation.
The following figure shows how ApsaraMQ for MQTT brokers authenticate ApsaraMQ for MQTT clients.
The client initiates a request to connect to the broker over TCP and sends the device certificate to the broker over the Message Queuing Telemetry Transport (MQTT) protocol.
After the broker receives the device certificate, the broker checks whether the device certificate is registered with the broker.
If the device certificate is registered with the broker, the broker checks the status of the device certificate.
If the certificate is activated, the broker checks whether the device certificate passes validation. In this case, the process enters Step 5.
If the device is not activated, the client cannot connect to the broker and the process ends.
If the device certificate is not registered with the broker, the broker matches the CA certificate based on the device certificate. In this case, the process enters Step 3.
The broker matches the CA certificate based on the device certificate and checks whether the CA certificate is registered with the broker.
If the CA certificate is registered with the broker, the broker checks the status of the CA certificate. In this case, the process enters Step 4.
If the CA certificate is not registered with the broker, the client cannot connect to the broker and the process ends.
The broker checks whether the CA certificate is activated.
If the CA certificate is activated, the process enters Step 5.
If the CA certificate is not activated, the client cannot connect to the broker and the process ends.
The broker checks whether the device certificate passes validation based on the CA certificate that is registered with the broker.
If the device certificate passes validation, the authentication is successful. In this case, the process enters Step 6.
If the device certificate fails validation, the client cannot connect to the broker and the process ends.
The device certificate passes validation and the client can connect to the broker for messaging.
Procedure
You can perform the following operations only if you use an Enterprise Platinum Edition instance.
Obtain a CA certificate and register the certificate with an ApsaraMQ for MQTT broker. For more information, see Manage CA certificates.
You can apply for a CA certificate from a CA. You can also create a CA certificate. You can use a CA certificate to issue device, server, and validation certificates.
You can use a CA certificate only after you register the certificate with an ApsaraMQ for MQTT broker.
Issue a server certificate, host the certificate in Certificate Management Service, and then restart ApsaraMQ for MQTT for the certificate to take effect. For more information, see Manage server certificates.
Issue a device certificate. A device certificate is issued by using a CA certificate. Make sure that each device certificate is globally unique. For more information, see Use a CA certificate to issue a device certificate.
You can use a device certificate only after the certificate is registered with an ApsaraMQ for MQTT broker.
The first time you connect a client to a broker, you must register a device certificate with the broker. In this case, the broker automatically matches the device certificate with the corresponding CA certificate and registers the device certificate with the broker. In the subsequent connection requests, the broker validates the device certificate without the need to match the CA certificate.
Validate device certificates
The following table describes the download links for sample code used to validate device certificates.
Programming language | Download link |
Java | |
Python | |
C | |
.NET | |
JavaScript | |
iOS |
Related operations
API operations
Manage CA certificates
Manage device certificates
Console
You can host a server certificate that you purchase or issue in Certificate Management Service and use the certificate to initialize the ApsaraMQ for MQTT instance in the ApsaraMQ for MQTT console. For more information, see Manage server certificates.
You can register a CA certificate, change the status of a CA certificate, and delete a CA certificate in the ApsaraMQ for MQTT console. For more information, see Manage CA certificates.
You can query a device certificate, change the status of a device certificate, and delete a device certificate in the ApsaraMQ for MQTT console. For more information, see Manage device certificates.