I am trying to do mTLS from my HiveMQ client to a broker. I have configured the client using default SSL (.sslWithDefaultConfig()). I assumed this would then allow me to pass in the keystore and truststore using standard JAVA parameters javax.net.ssl. When I try to connect I am getting an error back saying “certificate required”, so it appears the client is not sending a certificate.
If I configure the trust store using javax.net.ssl.trustStore and configure my own KeyManagerFactory it works when I create the connection like this
mqtt5ClientBuilder = mqtt5ClientBuilder
.sslConfig()
.keyManagerFactory(keyManagerFactory)
.applySslConfig()
I don’t understand why I can use javax.net.ssl to define the trust store, but not the key store. Does it not support the javax.net.ssl parameters and you have to configure your own KeyManager?
Thanks,
Sean
Hi @seanmmorris ,
It is great to see your interest in HiveMQ and MQTT , welcome to the community!
Usually you do not have to set anything extra when using sslWithDefaultConfig(), like for example in this code example: hivemq-examples/HiveMqCloudExample.java at master · hivemq/hivemq-examples · GitHub
What is the broker and port that you are trying to connect your client to? What are the other parameters that you set – perhaps you could share your project for us to take a look or put your code into here?
Hint: if you are sharing your code here, enclose it is triple ticks (`) – that will get your code pretty-printed.
Regards,
Dasha from HiveMQ team
The broker we are connecting to is EMQX.
Does the default SSL config work with mutual TLS, or only one way?
We have decided to just create our own Keystore and Truststore managers and pass in like this which is working
mqtt5ClientBuilder = mqtt5ClientBuilder
.sslConfig()
.keyManagerFactory(keyManagerFactory)
.trustManagerFactory(trustManagerFactory)
.applySslConfig();
We were just surprised it did not seem to pick up the keystore without doing this.
Sean
We are renewing our certificates every 24 hours. Is there a way to configure the Hive Client to automatically reload the keystore and truststore when they change?
Thanks,
Sean