How to enable multiple client certificates on cluster for authentication


I am using hiveMQ cluster with starter plan. Is there any way to add multiple client certificates, so that clients can use any of them and authenticate.

Currently, on the access management page I am able to add a single client certificate and using that I am able to connect clients to the cluster. I am looking for a way to upload multiple client certificates. Is there a way to achieve this?

1 Like

Instead of uploading multiple client certificates, you can use a single Certificate Authority (CA) to sign all client certificates. HiveMQ can then be configured to trust the CA, allowing any client certificate signed by that CA to be accepted. This way, you only need to upload the CA certificate to HiveMQ.

Here are the steps to set up and test the MQTT client using client certificates with HiveMQ Cloud Starter:


  1. Generate CA Certificate and Client Certificates:
  • Run the following script to generate the CA certificate (ca_cert.pem), client private keys, and client certificate signing requests (CSRs):
#!/usr/bin/env bash

subject_base="/C=US/ST=California/L=San Francisco/O=Mohanashree Corp"
num_clients=3  # Define the number of clients

# Generate CA certificate
openssl genpkey -algorithm RSA -out ca_key.pem
openssl req -x509 -new -nodes -key ca_key.pem -sha256 -days 365 -out ca_cert.pem \
  -subj "$subject_base/CN=Mohanashree CA"

# Loop to generate client keys and certificate signing requests (CSRs)
for i in $(seq 1 $num_clients); do
  openssl genpkey -algorithm RSA -out ${client}_key.pem
  openssl req -new -key ${client}_key.pem -out ${client}_csr.pem -subj "$subject_base/CN=${client}"
  openssl x509 -req -in ${client}_csr.pem -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial -out ${client}_cert.pem -days 360 -sha256

echo "Certificates generated for client1 to client${num_clients}"
  • This script generates the CA certificate (ca_cert.pem), three client private keys (client1_key.pem, client2_key.pem, client3_key.pem), and their corresponding client certificates (client1_cert.pem, client2_cert.pem, client3_cert.pem).
  1. Upload CA Certificate to HiveMQ Cloud Starter:
  • Log in to your HiveMQ Cloud Starter dashboard.
  • Navigate to Access Management > Client Certificate.
  • Upload the ca_cert.pem file under Key to establish trust for the client certificates signed by this CA.
  1. Test MQTT Client Subscription with Client Certificate:
  • Install the mqtt-cli command-line tool or use a suitable MQTT client that supports client certificate authentication.
  • Use the following command to subscribe to MQTT topics using client certificate authentication:
mqtt subscribe \
  --topic "#" \
  --host \
  --port 8883 \
  --secure \
  --cert client1_cert.pem \
  --key client1_key.pem \
  --identifier client1 \
  --showTopics \
  --jsonOutput \
  --debug \
  • Adjust client1_cert.pem and client1_key.pem with the actual paths to the generated client certificate and key files.
  • Modify --host and other parameters as per your HiveMQ Cloud Starter configuration.
  1. Verify MQTT Client Connection:
  • Run the MQTT subscribe command in your terminal.
  • The command connects to the HiveMQ broker using the specified client certificate (client1_cert.pem and client1_key.pem).
  • It subscribes to all topics (#) and displays subscribed topics in JSON format with debug and verbose outputs.
  1. Monitor Subscription:
  • Observe the terminal output to ensure that the MQTT client successfully connects to the broker and subscribes to topics.
  • Check for any errors or warnings in the debug output (--debug) that might indicate issues with the client certificate setup.

By following these steps, you can set up and test MQTT client authentication using client certificates with HiveMQ Cloud Starter. Adjust paths, parameters, and configurations as necessary based on your specific environment and requirements.

I hope it helps.

Best regards,
Dasha from the HiveMQ Team