Client certificate authentication

As of Niagara 4.14, the default Mqtt device and authenticator support client certificate authentication.

Mqtt brokers may require one of various combinations of authentication depending on their configuration:

No authentication (not recommended in production)
Username/password credentials (application layer)
Mutual TLS authentication via a client certificate (transport layer)
Combination of credentials and TLS certificate authentication

Additionally, private cloud brokers may need further requirements such as client ID validation, specific parameters that form the client ID or username, or specific time-based tokens as passwords.

TLS client authentication may also fall into the following categories:

A specific certificate for each client device, which is pre-imported and trusted by the broker.
A root CA certificate is trusted by the broker, which will accept connections from clients that present a certificate signed either directly by that certificate or an intermediate certificate.