We are using x.509 certificates to connect clients to the broker. Each certificate has a unique DN and I would like to authorize the subscription based on the DN in the x.509 certificate. For example a client with DN of client1
would only be able to subscribe to the topic service/client1
and they would only be able to publish to client1/service
Is such a thing possible. Perhaps we will have to write some sort of plug in, and that’s fine, but we’ll need the DN from the certificate.
Doesn’t the DN usually consist of a comma or slash separated combination of many other fields like Country, State-or-Province, Organization, Organizational Unit (possibly several), and then Common Name? I would be nervous of that conflicting with MQTT topic namespace.
We do this same sort of thing with just the CN of our certificates. We set the peer_cert_as_username=CN
in our config, then have topics that reference %u
in our ACL like spBv1.0/+/+/%u/#
.
I would expect you could do something similar with peer_cert_as_username=dn
since that is an allowed option.
1 Like
Thanks, that’s exactly what I was hoping to hear!