Is it possible to have subscription rules based on x.509 DN

We are using x.509 certificates to connect clients to the broker. Each certificate has a unique DN and I would like to authorize the subscription based on the DN in the x.509 certificate. For example a client with DN of client1 would only be able to subscribe to the topic service/client1 and they would only be able to publish to client1/service

Is such a thing possible. Perhaps we will have to write some sort of plug in, and that’s fine, but we’ll need the DN from the certificate.

Doesn’t the DN usually consist of a comma or slash separated combination of many other fields like Country, State-or-Province, Organization, Organizational Unit (possibly several), and then Common Name? I would be nervous of that conflicting with MQTT topic namespace.

We do this same sort of thing with just the CN of our certificates. We set the peer_cert_as_username=CN in our config, then have topics that reference %u in our ACL like spBv1.0/+/+/%u/#.

I would expect you could do something similar with peer_cert_as_username=dn since that is an allowed option.

1 Like

Thanks, that’s exactly what I was hoping to hear!