Feature

Certificate Wizard

TLS and mTLS without the guesswork. Import your certificates and keys, let the app validate the chain, expiry, hostname and ALPN, and keep every secret in the iOS Keychain.

Certificates, validated before you connect

Securing an MQTT connection is usually where things break. The Certificate Wizard imports your CA, client certificate and private key, checks the trust chain and expiry, matches the hostname against the certificate's SAN/CN, and confirms the ALPN protocol your broker expects.

Works with: Mosquitto with TLS, self-signed brokers, AWS IoT Core (ALPN x-amzn-mqtt-ca), HiveMQ, EMQX and any broker that speaks TLS or mutual TLS.

Certificate manager showing an imported client certificate and its details
What it handles

From self-signed to AWS IoT mutual TLS

.p12 / .pfx and PEM

Import a CA, a client certificate and a private key in PKCS#12 or PEM, with passphrase support.

Chain & expiry checks

Validates the trust chain and flags an expired or not-yet-valid certificate before you try to connect.

SAN / CN matching

Catches a hostname mismatch between your broker address and the certificate's Subject Alternative Names.

ALPN & SNI

Set an ALPN protocol list (including AWS IoT's x-amzn-mqtt-ca) and override SNI for brokers behind shared endpoints.

mTLS

Present a client certificate for mutual TLS, with the private key and passphrase kept in the iOS Keychain.

SHA-256 fingerprints

Verify a self-signed or pinned certificate by its fingerprint instead of trusting blindly.

Certificate Wizard — FAQ

Which certificate formats can I import?

PKCS#12 (.p12/.pfx) and PEM, including a CA certificate, a client certificate and a private key. Passphrase-protected keys are supported.

How do I connect to AWS IoT Core?

Import your device certificate and private key, then set the ALPN protocol to x-amzn-mqtt-ca (or use port 8883). The wizard handles SNI automatically and validates the chain.

Where are my private keys stored?

Client certificates, private keys and passphrases are stored in the iOS Keychain — not in the broker profile or any export. Diagnostics redact certificate material.

Why does my TLS connection fail even with the right certificate?

Common causes are an expired chain, a hostname that doesn't match the certificate's SAN/CN, a missing intermediate certificate, or a broker that requires a specific ALPN. The wizard flags each of these so you can see which one applies.

Stop fighting TLS handshakes

The Certificate Wizard ships in MQTT Commander for iPhone and iPad.

Coming soon to theApp Store

Coming soon to the App Store · $2.99