Using Certificates For TLS

37 views
Skip to first unread message

Elona Homes

unread,
Aug 27, 2024, 7:38:05 AMAug 27
to MQTT
Hii,

Im using TLS security for the mqtt bridge broker, and the certificates that im using is self signed server certificates. The clients connect to this bridged broker using the client certificates generated by using the same ca certificate as that of the server.

How are these certificates verified?
 
Is this ok if I use the same self signed certificates in the production environment, if so what are the potential  drawbacks of using the selfsigned certificates.
And if I have to use certificates from an Authorised CA, what should I do?

Thanks in Advance

Greg Troxel

unread,
Aug 27, 2024, 8:06:33 AMAug 27
to Elona Homes, MQTT
As I see it, this list is about mqtt protocol issues.

You are asking about TLS, in the context of:
- unnamed client and broker implemenations
- using an unnamed TLS implementation
- configured on an unnnamed operating system/packaging system
- in an unknown environment, with unknown security concerns and requirements

Most seriously, asking people to tell you if some practice is "ok" does
not make sense.

I will comment that my perception is that many people overvalue the
security benefits from the practice of configuring 100 public CAs as
trust anchors, and at the same time I believe that running a private CA
well is difficult. Unfortunately thinking about the overall risks from
various approaches is quite complicated.

One approach would be to find a consultant who can understand your
situation and help you. Another would be to learn enough to do this
yourself. If going down the second path:

- https://letsencrypt.org/docs/faq/
- https://community.letsencrypt.org/t/certificates-101/198242/171

- https://www.rfc-editor.org/rfc/rfc5280
- https://datatracker.ietf.org/wg/pkix/documents/

- https://csrc.nist.gov/pubs/sp/800/171/r3/final
(required for certain US government contracts -- perhaps you are at
Georgia Tech? -- and helpful for thinking about overall risk)

Zaiming Shi

unread,
Aug 28, 2024, 10:51:47 AMAug 28
to mq...@googlegroups.com, Elona Homes
Server and client certificates can be issued by any CA, different CAs do not stop mutual TLS authentication.
mTLS essentially is clients should trust server's root CA, and server needs to trust clients' root CAs.
There is a nice video intro about mqtt on tls in general https://www.youtube.com/watch?v=W7SedpZzQdo

> Is this ok if I use the same self signed certificates in the production environment, if so what are the potential  drawbacks of using the selfsigned certificates.

Many chose to use self-signed certificates in production.

The drawback is if you don't have a PKI infrastructure, it's all manual work to keep the private keys secure and keep tracking of the issuer chains etc.
Another drawback is if you want to have the clients verify the server certificate, you'll need to distribute the server's root CA to the clients.

--
To learn more about MQTT see https://mqtt.org
---
You received this message because you are subscribed to the Google Groups "MQTT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mqtt+uns...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mqtt/rmia5gyrwzf.fsf%40s1.lexort.com.
Reply all
Reply to author
Forward
0 new messages