We are using x.509 certificates to connect clients to the broker. Each certificate has a unique DN and I would like to authorize the subscription based on the DN in the x.509 certificate. For example a client with DN of client1 would only be able to subscribe to the topic service/client1 and they would only be able to publish to client1/service
Is such a thing possible. Perhaps we will have to write some sort of plug in, and that’s fine, but we’ll need the DN from the certificate.
Doesn’t the DN usually consist of a comma or slash separated combination of many other fields like Country, State-or-Province, Organization, Organizational Unit (possibly several), and then Common Name? I would be nervous of that conflicting with MQTT topic namespace.
We do this same sort of thing with just the CN of our certificates. We set the peer_cert_as_username=CN in our config, then have topics that reference %u in our ACL like spBv1.0/+/+/%u/#.
I would expect you could do something similar with peer_cert_as_username=dn since that is an allowed option.
Thanks, that’s exactly what I was hoping to hear!
