X.509 Certificate Chain Authentication

X.509 authentication overview
Configure provider
- Skip certificate validity check for client certificates
Credentials matching
Credentials ID
Authorization
Example
Next steps

X.509 Certificate Chain Authentication is a widely used method for securing MQTT connections in enterprise environments and IoT deployments requiring strong identity verification. Instead of relying on a username and password, clients present a certificate during the TLS handshake, allowing the broker to authenticate them based on the Common Name (CN) certificate attribute.

X.509 authentication overview

With X.509 Certificate Chain Authentication, the client presents its certificate chain as part of the TLS handshake. TBMQ extracts the Common Name (CN) from the client’s certificate, or any certificate in the chain to generate credentialsId and match it against the configured MQTT client credentials.

TBMQ supports two matching modes:

Exact match — where the CN in the certificate must exactly match the configured pattern.
Regular expression (regex) match — where the CN must match a regex pattern, allowing flexible matching for groups of certificates.

After a successful match, the client is authenticated. For performance and low-latency lookups, TBMQ caches credentials in Redis, while PostgreSQL ensures persistent storage. The following sections explain provider configuration, credential matching, credentialsId generation, and how authorization is applied after successful authentication.

Configure provider

You can check the authentication provider status, enable or disable it directly from the TBMQ user interface, making it easy to manage authentication behavior without modifying configuration files or restarting the broker.

On the Home page, in the Broker Settings card, you’ll find quick-toggle buttons for each available authentication provider. Click the button next to the desired provider to enable or disable it.
On the Authentication Providers page, you have more control and visibility:
- You can enable or disable a provider directly from the table by clicking the Switch button in the corresponding row.
- For more detailed management, click on a provider to open its details page, where you can change the status or other parameters.

Go to the Broker Settings card on the Home page to switch authentication providers.

On the Authentication > Providers page, use the switch button in the table’s right column to enable or disable providers.

Open the Authentication > Providers page, select the X.509 Certificate Chain row, and click the "Edit" button to configure the provider.

Skip certificate validity check for client certificates

The Skip certificate validity check for client certificates parameter in X.509 Certificate Chain Authentication controls whether the broker verifies the validity period of the client’s certificate during authentication.

When enabled, TBMQ skips the validation of the Not Before and Not After dates in the certificate, meaning expired or not-yet-valid certificates will still be accepted.
When disabled, the broker enforces the standard validity checks, and authentication will fail if the certificate is expired or not yet valid.

This setting can be useful in testing or specific trust-controlled environments, but set it to true is not recommended for production deployments, as it weakens the certificate-based security model.

Credentials matching

The “X.509 Certificate Chain” credentials have a “Use certificate CN regex” option that controls how credentials are matched.

When “Use certificate CN regex” is disabled: the “Certificate common name (CN)” must exactly match the CN of the client’s certificate or, if present, one of the parent’s certificates in the chain. Authentication will fail if none of the certificates have an exactly matching CN.
“Use certificate CN regex” is enabled: the “Certificate common name (CN) matcher regex” must match the CN of the client’s certificate or, if present, one of the parent’s certificates in the chain. Authentication will fail if no certificate in the chain matches the regex.

Credentials ID

The generation of credentialsId is done as follows:

credentialsId = ssl|$CERTIFICATE_COMMON_NAME;
credentialsId = ssl|$CERTIFICATE_COMMON_NAME_REGEX.

Where $CERTIFICATE_COMMON_NAME is the common name of the certificate from the chain, $CERTIFICATE_COMMON_NAME_REGEX is a regex-based string that should be matched with the certificate’s CN from the chain.

TLS authentication with "Use certificate CN regex" disabled to match certificate common name by exact match.

TLS authentication with "Use certificate CN regex" enabled to match certificate common name using a regex pattern.

Authorization

After the user has been authenticated, it is possible to restrict the client’s access to topics they can publish or subscribe to.

To provide flexible control over authorization rules, TBMQ uses regular expressions.

For example, to allow clients to publish or subscribe to all topics that begin with city/, an authorization rule should be created with the value city/.*.

For TLS type, authorization is configured using the authRulesMapping field of the corresponding MQTT Client Credentials. Here is a model of the credentials value:

{
    "certCnPattern": $certCnPattern,
    "certCnIsRegex": $certCnIsRegex,
    "authRulesMapping": $authRulesMapping
}

Where:

$certCnPattern - the pattern for the common name that should be present in the certificate chain.
$certCnIsRegex - option to control whether the common name (CN) pattern is treated as a regular expression (regex) for matching.

$authRulesMapping - the mapping used to configure the access restrictions for different keywords. For example,

{
    "example_1": {
        "pubAuthRulePatterns": ["example_pub_topic/.*"],
        "subAuthRulePatterns": ["example_sub_topic/.*"]
    },
    "example_2": {
        "pubAuthRulePatterns": [".*"],
        "subAuthRulePatterns": [".*"]
    }
}

This allows clients to connect with a certificate containing example_1 in its CN to publish only to topics that start with example_pub_topic/ and subscribe to topics that start with example_sub_topic/. Clients with a certificate containing example_2 are allowed to publish and subscribe to any topic.

Note: if either pubAuthRulePatterns or subAuthRulePatterns is set to null or an empty list ([]), the client will not be able to publish to or subscribe to any topics.

Example

X.509 Certificates are used to set up mutual (two-way) authentication for MQTT over TLS. Instructions below will describe how to connect MQTT client using X.509 Certificate to TBMQ.

In particular, there are two strategies that can be used for establishing connection between client and TBMQ:

X.509 Certificate chain.
Configure TBMQ to trust all client certificates from a specific trust anchor (intermediate certificate). This feature eliminates the need for manual certificate updates on each MQTT client credential when certificate rotation occurs.
X.509 Certificate.
Configure TBMQ to accept connections from the specific devices using pre-configured client certificates.

X.509 Certificate chain

X.509 Certificate

Step 1. Prepare your server and client certificate chain

Follow the MQTT over SSL guide to provision server certificate if you are hosting your own TBMQ instance.

Once provisioned, you should prepare a CA root certificate in pem format. This certificate will be used by MQTT clients to validate the server certificate. Save the CA root certificate to your working directory as “ca.pem”.

Step 2. Generate Client certificate chain

We should generate a certificate chain with reasonable Common Names (CNs). We will use the intermediate certificate to sign certificates for our devices. For example, the certificate chain CNs might be the following:

Root certificate CN: company-name.com;
Intermediate certificate: device-group-name.company-name.com;
Device certificate: device-name.device-group-name.company-name.com;

Use the following commands to generate the self-signed private keys, certificate signing requests, and x509 certificates for each chain level. The commands are based on the OpenSSL tool, which is most likely already installed on your workstation:

Step 2.1 Generate root certificate

Generate the Root certificate and private key, use the following command. Don’t forget to put the correct CN when prompted:

openssl req -x509 -newkey rsa:4096 -keyout rootKey.pem -out rootCert.pem -sha256 -days 365 -nodes

Sample output, referencing *company.com* as CN

Generating a RSA private key
writing new private key to 'rootKey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:company.com
Email Address []:

Step 2.2 Generate intermediate certificate

To generate the intermediate key and certificate request, use the following command. Don’t forget to put the correct CN when prompted:

openssl req -new -newkey rsa:4096 -keyout intermediateKey.pem -out intermediate.csr -sha256 -nodes

Sample output, referencing *group.company.com* as CN

Generating a RSA private key
writing new private key to 'intermediateKey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:group.company.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

To generate the intermediate certificate, use the following command.

openssl x509 -req -in intermediate.csr -out intermediateCert.pem -CA rootCert.pem -CAkey rootKey.pem -days 365 -sha256 -CAcreateserial -extfile <(echo "basicConstraints=CA:TRUE,pathlen:0")

Sample output

Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = group.company.com
Getting CA Private Key

Step 2.3 Generate device certificate

To generate the device key and certificate request, use the following command. Don’t forget to put the correct CN when prompted:

openssl req -new -newkey rsa:4096 -keyout deviceKey.pem -out device.csr -sha256 -nodes

Sample output, referencing device123.group.company.com as CN

Generating a RSA private key
writing new private key to 'deviceKey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:device.group.company.com
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

To generate the device certificate, use the following command.

openssl x509 -req -in device.csr -out deviceCert.pem -CA intermediateCert.pem -CAkey intermediateKey.pem -days 365 -sha256 -CAcreateserial

Sample output

Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = device.group.company.com
Getting CA Private Key

Finally, you need to concatenate certificates into a chain starting from the device certificate till the root.

cat deviceCert.pem intermediateCert.pem rootCert.pem > chain.pem

The output of the commands will be private keys and certificates for each level of chain. In the next steps we will use device key file deviceKey.pem and a chain of certificates chain.pem.

Step 3. Provision Intermediate Public Key in MQTT Client Credentials

Go to TBMQ Web UI -> Authentication -> Credentials -> Create new or update exising one. Select X.509 Certificate Chain type, insert the CN of intermediateCert.pem file.

Step 4. Trust the certificate

For the MQTT client to establish a secure TLS connection, the CA (Certificate Authority) that signed its certificate must be trusted. If the certificate is issued by a well-known public CA, it is already trusted by default. If both TBMQ and the clients use certificates issued by the same CA, no additional configuration is required. If it is another private or internal CA, you must add the CA certificate (rootCert.pem) to the Java truststore used by TBMQ.

Run the following command to import the CA certificate into the truststore.

Step 5. Test the connection

Execute the following command to upload temperature readings to TBMQ using secure channel:

mosquitto_pub --cafile ca.pem -d -q 1 -h "YOUR_TBMQ_HOST" -p "8883" \
-t "sensors/temperature" --key deviceKey.pem --cert chain.pem -m {"temperature":25}

Similar command for the self-signed server certificate:

mosquitto_pub --insecure --cafile server.pem -d -q 1 -h "YOUR_TBMQ_HOST" -p "8883" \
-t "sensors/temperature" --key deviceKey.pem --cert chain.pem -m {"temperature":25}

Don’t forget to replace YOUR_TBMQ_HOST with the host of your TBMQ instance.

Step 1. Prepare your server and client certificate

Follow the MQTT over SSL guide to provision server certificate if you are hosting your own TBMQ instance.

Step 2. Generate Client certificate

Use the following command to generate the self-signed private key and x509 certificate. The command is based on the openssl tool which is most likely already installed on your workstation:

To generate the RSA based key and certificate, use:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes

To generate the EC based key and certificate, use:

openssl ecparam -out key.pem -name prime256v1 -genkey
openssl req -new -key key.pem -x509 -nodes -days 365 -out cert.pem 

The output of the command will be a private key file key.pem and a public certificate cert.pem. We will use them in next steps.

Step 3. Provision Client Public Key in MQTT Client Credentials

Go to TBMQ Web UI -> Authentication -> Credentials -> Create new or update exising one. Select X.509 Certificate Chain type, insert the CN of cert.pem file.

Step 4. Trust the certificate

For the MQTT client to establish a secure TLS connection, its certificate must be trusted. If the certificate is signed by a well-known public CA, it is already trusted by default. If it is a self-signed, import the client certificate (cert.pem) into the Java truststore used by TBMQ.

Run the following command to import the certificate into the truststore.

Step 5. Test the connection

Execute the following command to upload temperature readings to TBMQ using secure channel:

mosquitto_pub --cafile ca.pem -d -q 1 -h "YOUR_TBMQ_HOST" -p "8883" \
-t "sensors/temperature" --key key.pem --cert cert.pem -m {"temperature":25}

Don’t forget to replace YOUR_TBMQ_HOST with the host of your TBMQ instance.

Next steps

Getting started guide - This guide provide quick overview of TBMQ.
Installation guides - Learn how to set up TBMQ using Docker or deploy it in K8S environments on AWS, GCP, and Azure.
Configuration guide - Learn about TBMQ configuration files and parameters.
MQTT client type guide - Learn about TBMQ client types.
Integration with ThingsBoard - Learn about how to integrate TBMQ with ThingsBoard.