Connect over TLS using a client certificate

[srinivasrb]

Describe your question

How do I connect to a broker over TLS, using a client certificate?

Which project is your question related to?

• ManagedClient v 3.0.11

As in issue #115, I am looking to configure the client to do the MQTT Fx equivalent of the below:

Please advise on how I could specify the CA Cert, the Client Cert and the key file. I looked at the code that is mentioned in that issue, but the .WithTLS() signature in that code doesn't seem to be present in 3.0.11. I tried:

            var options = new ManagedMqttClientOptionsBuilder()
                .WithClientOptions(new MqttClientOptionsBuilder()
                    .WithClientId(Guid.NewGuid().ToString())
                    .WithTcpServer(host, port)
                    .WithTls(new MqttClientOptionsBuilderTlsParameters()
                    {
                        AllowUntrustedCertificates = true,
                        UseTls = true,
                        SslProtocol = System.Security.Authentication.SslProtocols.Tls12,
                        Certificates = new List<X509Certificate> (){
                            new X509Certificate(@"CACert.crt", ""),
                            new X509Certificate2(@"ClientCert.crt", "")
                        }
                    })
                    .Build())
                .WithAutoReconnectDelay(TimeSpan.FromSeconds(5))
                .Build();

In the Certificates collection, what is the order in which the certs are specified? Or should I specify these in some other way?

Thanks in advance.

[SeppPenner]

Does the solution from https://github.com/chkr1011/MQTTnet/issues/115#issuecomment-376863514 work for you?

[srinivasrb]

Hi @SeppPenner, the code in the comment uses the following method to provide the TLS options:

.WithTls(false, false, false
                     , new X509Certificate(@"Certificates\aws-root-cert.pem", "").Export(X509ContentType.Cert)
                     , new X509Certificate(@"Certificates\AWS_IoT_Cert.pfx", "").Export(X509ContentType.Cert)

The two last arguments are byte arrays in that code (and I am guessing that the first three bools are flags for untrusted certs etc.

In v3.0.11, the .WithTls method signature has changed, it takes in an MqttClientOptionsBuilderTlsParameters object, which has a Certificates property, which is in turn an IEnumerable<X509Certificate>. Using the code I mentioned in my question gives me an inner exception "The message received was unexpected or badly formatted." I also tried using an X509Certificate2 but with the same result.

[SeppPenner]

Ok, sorry. I missed this change somehow.

[srinivasrb]

Here's the code that works:

var caCert = X509Certificate.CreateFromCertFile(@"CA-cert.crt");
var clientCert = new X509Certificate2(@"client-certificate.pfx", "ExportPasswordUsedWhenCreatingPfxFile");

        var options = new ManagedMqttClientOptionsBuilder()
            .WithClientOptions(new MqttClientOptionsBuilder()
                .WithClientId(Guid.NewGuid().ToString())
                .WithTcpServer(host, port)
                .WithTls(new MqttClientOptionsBuilderTlsParameters()
                {
                    UseTls = true,
                    SslProtocol = System.Security.Authentication.SslProtocols.Tls12,
                    Certificates = new List<X509Certificate>(){
                        caCert, clientCert
                    }
                })
                .Build())
            .Build();

CA Cert is in .crt format, and the client cert should be in PFX, and should have the password that was used to export the file from private key and cert originally. The PFX was created using openssl as below:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in clientCertificate.cer

[SeppPenner]

This should be documented, I guess.

[SeppPenner]

So, I finally found the time and added this to the wiki as well: https://github.com/chkr1011/MQTTnet/wiki/Client#tls-using-a-client-certificate.