How to register a private CA certificate on the Internet of Things platform

1. Preface

IoT IoT platform supports the use of private digital certificates for device access identity authentication. To use a private digital certificate, you need to complete the following operations:

① Register CA certificate on the Internet of Things platform,

② Bind the digital device certificate to the device identity.

This article describes how to register a private CA certificate on the Internet of Things platform and bind the device certificate to the device.


• Only MQTT directly connected devices can use private CA certificates.

• Currently, only East China 2 (Shanghai) supports the use of private CA certificates.

• When using a private CA certificate, only the device certificate signed by the RSA algorithm is supported.

• One AliCloud account can register up to 10 private CA certificates.

2. Register private CA certificate

2.1 Make private CA certificate

We use OpenSSL tools to create private CA certificates on Macs.

The command is as follows:

#Generate private CAs and keys, valid for 10 years

openssl req -new -x509 -days 3650 -keyout myIoTCARoot. key -out myIoTCARoot.crt

#View CA certificate

openssl x509 -noout -text -in myIoTCARoot.crt

Content of private CA certificate:

2.2 Production of validation certificate

When we register a private CA certificate, the IoT IoT platform requires us to upload a verification certificate created using the private key corresponding to the private CA certificate to prove that we have the private CA certificate.

View private certificate registration code

Log in to the IoT IoT platform console.

In the left navigation bar, select Device Management>CA Certificate.

On the CA Certificate Management page, click Register CA Certificate.

In the Register CA Certificate dialog box, obtain the registration code.

Validation certificate production

We also take OpenSSL as an example to create a verification certificate. The steps are as follows:

Generate verification certificate key

#Generate validation certificate

openssl genrsa -out verificationCert. key 2048

Generate validation certificate CSR, where Common Name should be filled in the private CA certificate registration code obtained from IoT console

#Generate validation certificate CSR

openssl req -new -key verificationCert. key -out verificationCert.csr


Common Name (e.g. server FQDN or YOUR name) []: *****7dc9a483ebbf7e6997b7b****


Create an authentication certificate using a CSR signed by the private CA certificate private key

#Use the private CA and key to issue the authentication certificate

openssl x509 -req -in verificationCert. csr -CA myIoTCARoot. crt -CAkey myIoTCARoot. key -CAcreateserial -out verificationCert. crt -days 300 -sha512

#View the content of the validation certificate

openssl x509 -noout -text -in verificationCert.crt

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00

phone Contact Us