All Products
Search

This Product

    IoT Platform:Connect over MQTT-TLS

    Document Center

    IoT Platform:Connect over MQTT-TLS

    Last Updated:Jun 03, 2026

    MQTT-TLS uses the TLS protocol to encrypt publish/subscribe communication between devices and IoT Platform, ensuring data security.

    Background information

    When you configure the MQTT CONNECT protocol, take note of the following:

    • If multiple physical devices share the same device certificate (ProductKey, DeviceName, and DeviceSecret) or credentials (ProductKey, DeviceName, ClientID, and DeviceToken), they will frequently disconnect. A newly authenticated device forces the previous one offline, triggering automatic reconnection attempts.

    • The device-side Link SDK automatically reconnects on disconnection. You can monitor device behavior in Simple Log Service.

    Direct MQTT client connection

    Important

    Unencrypted TCP connections pose a high security risk and are disabled by default for new Enterprise instances.

    1. Use a TLS-encrypted connection to ensure secure communication.

      • The device-side Link SDK has TLS encryption pre-configured. No manual setup is required.

      • If you develop your own device client, use one of the following root certificates to authenticate the IoT Platform server:

        • Recommended: Alibaba Cloud IoT Platform self-signed certificate. Valid until July 4, 2053. Connect to port 8883.

          Important

          You can use the MD5 hash c7a6afb466713832af778a7bcb6d1aef to verify the integrity of the certificate file.

        • Global Sign R1 root certificate. Valid until January 28, 2028. Connect to port 1883. After expiration, devices must update their CA root certificate to continue TLS verification.

    2. Connect to the server using an MQTT client.

      1. You can use open source MQTT clients to connect. Also refer to the official MQTT documentation.

        Note

        Alibaba Cloud does not provide technical support for third-party code.

      2. Use a device-side SDK to connect to IoT Platform. For a C example, see MQTT connection. If you develop your own client, configure the following parameters.

        Parameter

        Description

        Connection domain name

        For the MQTT connection domain names of public instances and Enterprise instances, see View and configure instance endpoints.

        Variable header: Keep Alive

        The CONNECT instruction must include the Keep Alive interval. Valid range: 30 to 1200 seconds. Recommended: 300 seconds or more (increase for unstable networks). IoT Platform rejects connections with out-of-range values.

        Details are in the MQTT keepalive section below.

        MQTT CONNECT message parameters

        For One-Device-One-Secret and One-Product-One-Secret pre-registration authentication: Connect using a device certificate (ProductKey, DeviceName, and DeviceSecret).

        mqttClientId: clientId+"|securemode=3,signmethod=hmacsha1,timestamp=132323232|"
mqttUsername: deviceName+"&"+productKey
mqttPassword: sign_hmac(deviceSecret,content)

        • mqttClientId: The content between | | are extension parameters.

        • clientId: A custom client ID. Maximum length: 64 characters. We recommend using the device MAC address or serial number (SN) for easy identification.

        • securemode: The security mode. Valid values: 2 (TLS direct connection) and 3 (TCP direct connection).

        • signmethod: The signature algorithm. Valid values: hmacmd5, hmacsha1, hmacsha256.

        • timestamp: Optional. The current time in milliseconds.

        • mqttPassword: Sort the parameters submitted to the server alphabetically, then sign them using the specified `signmethod`. Calculation details are in MQTT connection signature example.

        • content: The value of `content` is a string that is generated by concatenating the values of the parameters (productKey, deviceName, timestamp, and clientId) that are submitted to the server. Before concatenation, sort the parameters in alphabetical order based on their names.

          Important

          productKey and deviceName are required parameters, while timestamp and clientId are optional parameters. If you pass timestamp or clientId, the value must be the same as the setting for mqttClientId.

        Example:

        Assume that clientId = 12345, deviceName = device, productKey = pk, timestamp = 789, signmethod=hmacsha1, and deviceSecret=secret. The following parameters are submitted to MQTT over TCP:

        mqttclientId=12345|securemode=3,signmethod=hmacsha1,timestamp=789|
mqttUsername=device&pk
mqttPassword=hmacsha1("secret","clientId12345deviceNamedeviceproductKeypktimestamp789").toHexString();

        The encrypted password is a binary-to-hexadecimal string. The following is an example result:

        FAFD82A3D602B37FB0FA8B7892F24A477F85****

        To calculate MQTT signature parameters, follow How to calculate MQTT signature parameters.

        For One-Product-One-Secret authentication without pre-registration: Connect using ProductKey, DeviceName, ClientID, and DeviceToken.

        mqttClientId: clientId+"|securemode=-2,authType=connwl|"
mqttUsername: deviceName+"&"+productKey
mqttPassword: deviceToken

        • mqttClientId: The content between | | are extension parameters.

        • clientId, deviceToken: The ClientID and DeviceToken obtained from Dynamic device registration over MQTT.

        • securemode: The safe mode. For One-Product-One-Secret authentication without pre-registration, this parameter is fixed to -2.

        • authType: The authentication method. For One-Product-One-Secret authentication without pre-registration, this parameter is fixed to connwl.

    Examples

    The following topics provide connection examples using open source MQTT clients:

    MQTT keepalive

    The device must send at least one message (for example, a PING request) within each keepalive interval.

    Valid range: 30 to 1,200 seconds. Recommended: 300 seconds or more.

    The heartbeat timer starts when IoT Platform sends a CONNACK message in response to a CONNECT message. The timer is reset when a PUBLISH, SUBSCRIBE, PING, or PUBACK message is received. IoT Platform checks the keepalive heartbeat of the device every 30 seconds. The waiting time for scheduled detection is the period of time from when the device goes online to the latest scheduled detection. The maximum timeout period is calculated using the following formula: (keepalive interval × 1.5) + (waiting time for scheduled detection). If no message is received from the device after the maximum timeout period, the server automatically disconnects the device.