I can see that the network server configuration file has the ability to act as a CA and generate client certs for gateways, but beyond the config file itself I can’t find anything describing how to use this feature. I’m assuming that when a new gateway is added by the API that the Cert is generated and put in a file somewhere, and I then have to install it on the Gateway ?
Does the MQTT configuration also get dynamically updated to add a new ACL rule to match the name from the cert to the topic for the gateway ?
This is indeed not well documented, but it differs per MQTT broker implementation how to do this. In short:
You generate the CA certificate + key file
You configure this in ChirpStack
You generate a cert. for the gateway (e.g through the UI) and configure this on the gateway)
At the MQTT broker side you need to configure the CA certificate as well such that the MQTT broker is able to validate the client cert.
As well you need to configure the MQTT broker so that it uses the Gateway ID in the client-certificate as username. Then you can use this username in the topic ACL (e.g. `gateway/%u/#').