If you use unique-certificate-per-product authentication, the same firmware is burned to all devices of a product. The firmware includes the same product certificate information (ProductKey and ProductSecret). When a device initiates an activation request, IoT Platform authenticates the device. If the device passes the authentication, IoT Platform sends the information that the device requires to connect with IoT Platform.

Background information

Note
  • If you use this authentication method, the product certificate may be disclosed because all devices of a product have the same firmware. On the Product Details page, you can turn off the Dynamic Registration switch to reject authentication requests from new devices.
  • Transport Layer Security (TLS) encryption must be used if you dynamically register the devices based on unique-certificate-per-product authentication. If your device SDK cannot use TLS encryption, you must use the Unique-certificate-per-device authentication method.

The following figure shows the process of unique-certificate-per-product authentication.

Process of unique-certificate-per-product authentication

You can use unique-certificate-per-product authentication in the following two methods:

  • Pre-registration unique-certificate-per-product authentication

    Before you connect a device to IoT Platform, you must register the DeviceName in IoT Platform. We recommend that you use the MAC address, IMEI number, or serial number (SN) as the DeviceName. Then, IoT Platform issues a DeviceSecret to the device.

    After IoT Platform authenticates the device, the device uses the ProductKey, DeviceName, and DeviceSecret to establish a connection with IoT Platform.

    Pre-registration unique-certificate-per-product authentication supports MQTT-based connections.

  • Preregistration-free unique-certificate-per-product authentication

    You do not need to pre-register a device in IoT Platform. Instead, you can use an IoT card number as the DeviceName.

    After IoT Platform authenticates the device, the device uses the ProductKey, DeviceName, ClientID, and DeviceToken to establish a connection with IoT Platform.

    Preregistration-free unique-certificate-per-product authentication supports MQTT-based connections.

Procedure

  1. Create a product.
    Create a product in the IoT Platform console. For more information, see Create a product.
  2. Enable dynamic registration.
    On the Product Details page, turn on the Dynamic Registration switch. IoT Platform sends an SMS verification code to confirm your identity.
    Note If dynamic registration is disabled when devices initiate activation requests, IoT Platform rejects the requests. Activated devices are not affected.
    Enable dynamic registration
  3. Add a device.
    • Pre-registration unique-certificate-per-product authentication

      Add a device to the created product. For more information, see Create multiple devices at a time or Create a device.

      IoT Platform authenticates the DeviceName when a device initiates an activation request. We recommend that you use an identifier that can be obtained from the device as the DeviceName. The identifier can be the MAC address, IMEI, or SN of the device.

      Then, IoT Platform issues a DeviceSecret to the device. The initial status of the device is Inactive.

    • If you use preregistration-free unique-certificate-per-product authentication, skip this step.
  4. Burn the device SDK on the production line.
    1. Download the device SDK.For more information, see Link SDK.
    2. Initialize the device SDK and enable dynamic registration. In the device SDK, specify the ProductKey and ProductSecret.
      For more information about how to configure device SDK to use the unique-certificate-per-product method, see the documentations about authentication and connection in Link SDK.
    3. Develop the device SDK based on your business requirements. For example, you can develop the following features: over-the-air (OTA) update, sub-device connection, Thing Specification Language (TSL) model, and device shadows.
    4. Burn the developed device SDK to the device on the production line.
  5. Connect the device to IoT Platform.
    Power on the device and connect it to IoT Platform. Then, the device carries the ProductKey, ProductSecret, and DeviceName to initiate an authentication request. For more information, see MQTT-based dynamic registration and HTTP-based dynamic device registration.
  6. Activate the device in IoT Platform.
    • Pre-registration unique-certificate-per-product authentication

      After IoT Platform authenticates the device, IoT Platform delivers the DeviceSecret that is issued in Step 3 to the device. The device obtains the device certificate (ProductKey, DeviceName, and DeviceSecret). Then, the device can use the certificate to establish a connection with IoT Platform.

      Note
      • A device certificate can be used to activate only one physical device.
      • If Device A is activated by using the DeviceName but Device B must use this DeviceName, you can delete Device A from IoT Platform and invalidate the DeviceSecret of Device A. Then, you can use the DeviceName to add and activate Device B.
      • To reactivate a device due to the loss of its DeviceSecret, use the ResetThing API operation to reset the device, and then reconnect the device to IoT Platform. IoT Platform issues the same DeviceSecret to the device.
    • Preregistration-free unique-certificate-per-product authentication

      After IoT Platform authenticates the device, IoT Platform issues the ClientID and DeviceToken to the device. Then, the device uses the ProductKey and ProductSecret, ClientID, and DeviceToken to establish a connection with IoT Platform.

      Note A maximum of five physical devices can be activated in IoT Platform with the same ProductKey, ProductSecret, and DeviceName. Each device has a unique ClientID and DeviceToken.

      A DeviceName may be used for multiple physical devices that have different ClientIDs. In this case, the following message appears on the Product Details page of the IoT Platform console: The devices of the current product have multiple ClientIDs. You can retain one physical device or clear all physical devices.

      1. On the Product Details page, click View to view the security-compromised devices of the product.
      2. Choose Devices > Devices. On the page that appears, find the device and click View to go to the Device Details page. The ClientID for the current connection is displayed. Click Switch or Clear next to the ClientID.
        • Switch: Select the ClientID from the drop-down list. Check the first connection time of the device that corresponds to the ClientID, or click Log Service and view IoT Platform logs to determine whether the physical device needs to be retained. Then, you can select the ClientID of the physical device that you want to retain, and click OK. The physical devices that use other ClientIDs cannot be connected.
        • Clear: All physical devices cannot be connected.