"One-device-one-certificate" is a special case of two-way authentication. Each client (each device) uses a self-issued CA certificate and different client certificates (device certificates) issued by the CA certificate for authentication.
The TDMQ for MQTT Pro Edition Cluster and Platinum Edition Cluster additionally supports the "One-device-one-certificate" feature. You can freely register and manage device CA certificates and client certificates (device certificates) in the product console. Before devices leave the factory, burning a unique device certificate into each device significantly reduces the impact radius of leakage of a single device certificate.
2. In the left sidebar, click Resource > Cluster, select a region, and click the ID of the cluster for which you want to configure a certificate, to go to the cluster basic information page.
3. On the Authentication page, go to the X.509 Certificate Management tab, click the edit icon on the right
, and complete the certificate configuration in the pop-up window.
Authentication Method: Select the "One-device-one-certificate" option.
Server Certificate Configuration: Use the default server certificate provided by MQTT, or bind a custom certificate subsequently.
CA Certificate Configuration: Currently only support manual upload and registration of CA certificates. After enabling one-device-one-certificate authentication, add CA certificates on the CA Certificate Management page in the cluster details page.
Client Certificate Configuration: Support Automatic registration and Manual registration.
Automatic registration: The client automatically registers the client certificate when connecting. You only need to manually register the associated CA certificate.
Manual registration: Before connecting, the client needs to manually upload and register the client certificate on the client certificate management page first. For the operation steps of manually registering client certificates, see Managing a Client Certificate.
4. Click Submit to complete the authentication method configuration.
Configuring a Certificate
After selecting the authentication method, you need to configure the related certificate. Details and reference documentation are as follows:
Certificate Type
Description
Reference Documentation
Server certificate
Used for client-to-server authentication. You can use the default server certificate provided by MQTT or bind a custom certificate.
If certain devices or SDKs in your cluster only support specific versions of the TLS protocol, causing handshake failures and connection issues with the default server, you can adjust the supported TLS protocol version range on the server using the TLS Configuration feature. This enables both communication parties to negotiate a mutually recognized protocol version, resolving compatibility issues caused by version mismatches and ensuring all components successfully establish secure connections to maintain cluster communication stability.
Note:
Upon modification, the TLS protocol version supported by the server takes effect immediately and affects all newly connected/reconnected clients under the cluster. Please exercise caution.
The server supports all versions from TLS 1.0 to TLS 1.3 by default. If modification is required, refer to the following configuration steps:
1. Go to Cluster > Authentication, select the X.509 Certificate Management sub-tab, and click the edit icon on the right side of
.
2. In the pop-up window, select the supported TLS version range. Since the TLS protocol only supports enabling consecutive versions or a single version, the configuration modification method is as follows:
To enable consecutive versions (such as TLS 1.1 and TLS 1.2): First select one version as the "Minimum Version", then select another version as the "Maximum Version", and click Submit to submit the configuration.
To enable only a single version (such as TLS 1.2 only): Double-click the version, then click Submit to submit the configuration.
