ApsaraMQ for MQTT allows you to use device certificates to authenticate access from clients. This topic describes how to use CA certificates to issue device certificates. This topic also describes how to manage the device certificates in the ApsaraMQ for MQTT console, such as querying, activating, deregistering, and deleting device certificates.
Background information
Device certificates are digital certificates issued by certificate authority (CA) root certificates to clients. When you connect an ApsaraMQ for MQTT client to an ApsaraMQ for MQTT broker, the broker uses the device certificate to authenticate the client. If the client passes authentication, the client and the broker can communicate with each other based on the encrypted private key in the device certificate. If the client fails authentication, access requests from the client are denied by the client.
You can use a device certificate only after the CA certificate that issues the device certificate is registered with an ApsaraMQ for MQTT broker. For more information, see Register a CA certificate.
If the CA certificate matches the device certificate, the client passes authentication and the system automatically registers the device certificate with the ApsaraMQ for MQTT broker.
Limits
You can manage device certificates only on ApsaraMQ for MQTT Enterprise Platinum Edition instances.
You can manage only device certificates that are registered with ApsaraMQ for MQTT brokers.
The serial number of a device certificate must be unique.
Prerequisites
A CA certificate is obtained.
OpenSSL v1.1.1i or later is installed.
Use a CA certificate to issue a device certificate
In this example, a self-signed CA certificate is used to issue a device certificate. For information about how to generate a self-signed certificate, see Self-signed CA certificates.
Generate a device certificate
Rivest-Shamir-Adleman (RSA) device certificates
Create configuration files.
Create a file named client.csr.cfg. The following sample code provides an example of the file content:
NoteModify the information in
[dn]based on your business requirements.[req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [dn] C=CN ST=ZJ L=HZ O=ALI OU=MQTT emailAddress=xxx@xxx CN=client-testCreate a file named client.crt.cfg. The following sample code provides an example of the file content:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign
Run the following command to generate the private key and certificate signing request (CSR) file of the device certificate:
Mac:
openssl req -new -sha256 -nodes -out client.csr -newkey rsa:2048 -keyout client.key -config <(cat client.csr.cfg)Windows:
openssl req -new -sha256 -nodes -out client.csr -newkey rsa:2048 -keyout client.key -config client.csr.cfg
Run the following command to generate the device certificate:
openssl x509 -req -in client.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out client.crt -days 500 -sha256 -extfile client.crt.cfg
Elliptic Curve Cryptography (ECC) device certificates
Create configuration files.
Create a file named client.csr.cfg. The following sample code provides an example of the file content:
NoteModify the information in
[dn]based on your business requirements.[req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [dn] C=CN ST=ZJ L=HZ O=ALI OU=MQTT emailAddress=xxx@xxx CN=client-testCreate a file named client.crt.cfg. The following sample code provides an example of the file content:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign
Run the following command to generate the private key of the device certificate:
openssl ecparam -out client.key -name prime256v1 -genkeyRun the following command to generate the CSR file of the device certificate:
Mac:
openssl req -new -sha256 -nodes -out client.csr -key client.key -config <(cat client.csr.cfg)Windows:
openssl req -new -sha256 -nodes -out client.csr -key client.key -config client.csr.cfg
Run the following command to generate the device certificate:
openssl x509 -req -in client.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out client.crt -days 500 -sha256 -extfile client.crt.cfgRun the following command to convert the private key of the device certificate into the PKCS#8 format:
openssl pkcs8 -topk8 -nocrypt -in client.key -out client_pkcs8.keyImportantWhen you use code to connect a client to a broker, set the
deviceKyPathparameter to the path of the private key of the device certificate. Do not set the parameter to the private key of the device certificate.
Generate a device certificate chain
Run the following command to create an empty certificate chain file named
client_chain.crt:touch client_chain.crtRun the following command to copy the content of the device certificate to the certificate chain file:
cat client.crt >> client_chain.crtRun the following command to copy the content of the CA certificate to the certificate chain file and append the copied content to the content of the device certificate:
cat CA.crt >> client_chain.crt
You can run the cat client_chain.crt command to view the content of the device certificate chain.
You can use a device certificate to connect a client to a broker only after a certificate chain is generated by using the device certificate and the CA certificate that issues the device certificate.
To generate a certificate chain, the content of several certificates is concatenated. In a generated certificate chain, the content of sub-level certificates is placed in front of the parent-level certificate.
Query device certificates
You can view all device certificates that are registered with an ApsaraMQ for MQTT instance. You can also query a device certificate based on the serial number.
Log on to the ApsaraMQ for MQTT console. In the left-side navigation pane, click Instances.
In the top navigation bar, select the region where the instance that you want to manage resides. On the Instances page, click the instance name to go to the Instance Details page.
In the left-side navigation pane, choose .
On the Device Certificate page, you can view all device certificates that are registered with the ApsaraMQ for MQTT instance.
In the search box of the Device Certificate page, enter the serial number of a device or CA certificate to query device certificates.
If you enter the serial number of a device certificate in the search box, the device certificate that is uniquely identified by the serial number is returned.
If you enter the serial number of a CA certificate, all device certificates issued by the CA certificate and registered with the ApsaraMQ for MQTT broker are returned.
Activate or deregister a device certificate
You can activate or deregister a device certificate to change its status. A device certificate can be in the Activated or Inactivated state. By default, a device certificate is activated after it is registered with an ApsaraMQ for MQTT broker.
Device certificates in the Activated state: If you want to temporarily disable a device certificate, you can deregister the certificate. Then, the certificate becomes unavailable and enters the Inactivated state.
Device certificates in the Inactivated state: If you want to reuse a disabled device certificate, you can reactivate the certificate. Then, the certificate enters the Activated state.
In the device certificate list, find the device certificate that you want to manage and click Deregister or Activate in the Actions column.
Delete a device certificate
After you delete a device certificate, information about the device certificate is deleted from the storage records of the ApsaraMQ for MQTT broker.
If you use the deleted device certificate to connect the client to the broker and the associated CA certificate is valid, the device certificate is automatically registered with the broker.
In the device certificate list, find the device certificate that you want to delete and click Delete in the Actions column.
In the message that appears, click OK.