i am trying to connect clients with 2-way TLS authentication. The only way I can connect a device is by trusting it’s client certificate in the hivemq truststore.
Is it possible to just trust the root certificate of our PKI in the hivemq truststore and the client sends the whole chain (device/intermediate/root certificate) for authentication?
Otherwise we have to trust every single device certificate, which is not realistic in our case.
Is it possible to control the access of a device to certain topics by certificates?
Welcome to the HiveMQ Community!
It’s nice to see that you are taking a serious look at your security as it appears.
Regarding certificate trust:
Yes, it is absolutely sufficient to include the ROOT certificate in the HiveMQ truststore and use individual client certificates that are signed by that ROOT and/or intermediate certs that got signed by the ROOT, as long as the client presents the complete certificate chain.
Access control or authorization can be extended to HiveMQ in virtually any way. The HiveMQ Enterprise Security Extension, which does not work with HiveMQ CE, has native support for X509.Certificate based Authorization.
For HiveMQ CE I suggest starting with the HiveMQ File RBAC Extension, which is open source, and adding the functionality yourself.
You can access the Certificate in the TlsInformation.
Hope this helps.