Now, we will use the Mosquitto command-line tools to test the client authentication configuration.
The following command specifies the certificate authority certificate file, the client certificate, and the client key. You have to replace ca.crt, board001.crt, and board001.key with the full path to these files created in the certificates directory. However, it is a better idea to copy these files to a new directory as if we were working with files that will be only available to the device that wants to establish a connection with Mosquitto. As with previous commands, this command uses the -h option followed by the MQTT server host. In this case, we specify the IPv4 address of the computer that is running the Mosquitto MQTT server: 192.168.1.1. Notice that this value must match the IPv4 or IPv6 address that we specified as the value in the Common Name field when we generated the server.csr file, that is, the server certificate signing request. If you used a host name as the value in the Common Name field instead of an IPv4 or IPv6 address, you will have to use the same host name. The mosquitto_sub utility will create an MQTT subscriber that will establish an encrypted connection with Mosquitto and will provide the client certificate and client key to perform authentication:
mosquitto_sub -h 192.168.1.1 -V mqttv311 -p 8883 --cafile ca.crt --cert board001.crt --key board001.key -t sensors/+/altitude -d
With a similar syntax, we will use the mosquitto_pub command-line utility included in Mosquitto to generate a simple MQTT client that publishes a message to a topic that will match the previously specified topic filter, with an encrypted connection and client authentication. Open a Terminal in macOS or Linux, or a Command Prompt in Windows, go to the directory in which Mosquitto is installed, and run the following command. Remember to replace ca.crt, board001.crt, and board001.key with the full path to these files created in the mqtt_certificates directory. In addition, replace 192.168.1.1 with the IPv4 or IPv6 address that we specified as the value in the Common Name field when we generated the server.csr file, that is, the server certificate signing request. If you used a host name as the value in the Common Name field instead of an IPv4 or IPv6 address, you will have to use the same host name:
mosquitto_pub -h 192.168.1.1 -V mqttv311 -p 8883 --cafile ca.crt --cert board001.crt --key board001.key -t sensors/quadcopter12/altitude -m "361 f" -d
Sometimes, it is necessary to invalidate a client certificate. Mosquitto allows us to specify a PEM-encoded certificate revocation list file. We have to specify the path to this file as a value for the crlfile option in the Mosquitto configuration file.