"One-device-one-certificate" is a special case of two-way authentication. Each client (each device) uses a self-issued CA certificate and different client certificates (device certificates) issued by the CA certificate for authentication.
The TDMQ for MQTT Pro Edition Cluster and Platinum Edition Cluster additionally supports the "One-device-one-certificate" feature. You can freely register and manage device CA certificates and client certificates (device certificates) in the product console. Before devices leave the factory, burning a unique device certificate into each device significantly reduces the impact radius of a single device certificate leakage.
Restrictions and Limitations
Currently, only the Pro Edition/Platinum Edition clusters support using JWT for authentication.
2. Click Resource > Cluster in the left sidebar. After selecting a region, click the "ID" of the cluster for which you want to configure a certificate, and enter the basic information page of the cluster.
3. On the Authentication webpage, go to the X.509 Certificate Management tab, click on the right edit icon
, and complete the certificate configuration in the pop-up window.
Authentication Method: Select the "One-device-one-certificate" option.
Server Certificate Configuration: You can use the default server certificate provided by MQTT, or also can bind a custom certificate subsequently.
CA Certificate Configuration: Currently only support manual upload and registration of CA certificates. After enabling One Device One Certificate authentication, add CA certificates on the CA Certificate Management page in the cluster details page.
Client Certificate Configuration: Supports Automatic registration and Manual registration.
Automatic registration: The client automatically registers the client certificate when connecting, only need to manually register the associated CA certificate.
Manual registration: Before connecting, the client needs to manually upload and register the client certificate on the client certificate management page. For the procedure of manually registering client certificates, see Step 4: Configure Client Certificates.
4. Click Submit to complete the authentication method configuration.
Configuring Certificates
After selecting the authentication method, configure the related certificate. Details and reference documentation are as follows:
Certificate Type
Description
Reference Documentation
server certificate
For client-to-server authentication, you can use the default server certificate provided by MQTT or bind a custom certificate.
If certain devices or SDKs in your cluster only support specific versions of the TLS protocol, causing handshake failures and connection issues with the default server configuration, you can adjust the supported TLS protocol version range on the server using the TLS Protocol Version Configuration feature. This enables both communication parties to negotiate a mutually recognized protocol version, resolving compatibility issues caused by version mismatches and ensuring all components successfully establish secure connections to maintain cluster communication stability.
Note:
Modifying the TLS protocol version configuration supported by the server takes effect immediately and affects all newly connected/reconnected clients under the cluster. Please exercise caution.
The server supports all versions from TLS 1.0 to TLS 1.3 by default. If modification is required, refer to the following configuration steps:
1. Go to Cluster > Authentication, select the X.509 Certificate Management sub-tab, and click the edit icon on the right side of
.
2. In the pop-up window, select the supported TLS version range. Since the TLS protocol only supports enabling consecutive versions or a single version, the configuration modification method is as follows:
To enable consecutive versions (such as TLS 1.1 and TLS 1.2): First select one version as the "Minimum Version", then select another version as the "Maximum Version", and click Submit to submit the configuration.
To enable only a single version (such as TLS 1.2 only): Double-click the version, then click Submit to submit the configuration.
