If you use unique-certificate-per-product authentication, the same product certificate is burned to all devices of a product. The product certificate information includes ProductKey and ProductSecret. When a device initiates an activation request, IoT Platform authenticates the device. If the device passes the authentication, IoT Platform sends the information that the device requires to connect with IoT Platform.
The following types of unique-certificate-per-product authentication are available: pre-registration unique-certificate-per-product authentication and preregistration-free unique-certificate-per-product authentication. The following table describes the differences between the two types of authentication methods.
- If you use unique-certificate-per-product authentication, the product certificate may be disclosed because all devices of a product have the same certificate information. On the Product Details page, you can turn off the Dynamic Registration switch to reject authentication requests from new devices.
- Transport Layer Security (TLS) encryption must be used if you dynamically register the devices based on unique-certificate-per-product authentication. If your device SDK cannot use TLS encryption, you must use the Unique-certificate-per-device authentication method.
|Item||Preregistration-free unique-certificate-per-product authentication||Pre-registration unique-certificate-per-product authentication|
|Protocol||MQTT||HTTP and MQTT|
|Supported regions||China (Shanghai)||
|Feature||You do not need to pre-register the DeviceName of a device in IoT Platform. For more information, see the following "Procedure" section.||You must pre-register the DeviceName of a device in IoT Platform. For more information, see the following "Procedure" section.|
|Limit||A maximum of five physical devices can be activated in IoT Platform with the same ProductKey, ProductSecret, and DeviceName. Each device has a unique ClientID and DeviceToken.||
The following figure shows the process of unique-certificate-per-product authentication.
- Create a product: Create a product in the IoT Platform console .
- Enable dynamic registration. On the Product Details page, turn on the Dynamic Registration switch. IoT Platform sends an SMS verification code to confirm your identity.Note If dynamic registration is disabled when devices initiate activation requests, IoT Platform rejects the requests. Activated devices are not affected.
- Optional:Add a device. If you use pre-registration unique-certificate-per-product authentication,
you must add one or more devices to the created product. For more information, see
Create multiple devices at a time or Create a device. IoT Platform authenticates the DeviceName when a device initiates an activation request. We recommend that you use an identifier that can be obtained from the device as the DeviceName. The identifier can be the MAC address, International Mobile Equipment Identity (IMEI) number, or serial number (SN) of the device.
After a device is added, IoT Platform issues a DeviceSecret to the device. The initial status of the device is Inactive.
- Burn the device SDK on the production line. For more information about how to develop the device SDK for C, see Link SDK.
- Download the device SDK for C.
- Initialize the device SDK and enable dynamic registration. In the device SDK, specify
the ProductKey and ProductSecret. For more information, see MQTT-based dynamic registration.
- Develop the device SDK based on your business requirements. For example, you can develop
the following features: over-the-air (OTA) update, sub-device connection, Thing Specification
Language (TSL) model, and device shadows. For more information, see Link SDK.
- Burn the developed device SDK to the device on the production line.
- Connect the device to IoT Platform.
- Activate the device in IoT Platform.
- Pre-registration unique-certificate-per-product authentication: After IoT Platform authenticates the device, IoT Platform delivers the DeviceSecret that is issued in Step 3 to the device. The device obtains the device certificate (ProductKey, DeviceName, and DeviceSecret). Then, the device can use the certificate to establish a connection with IoT Platform.
- Preregistration-free unique-certificate-per-product authentication: After IoT Platform
authenticates the device, IoT Platform issues the ClientID and DeviceToken to the
device. Then, the device uses the ProductKey and ProductSecret, ClientID, and DeviceToken
to establish a connection with IoT Platform.
A DeviceName may be used for multiple physical devices that have different ClientIDs. In this case, the following message appears on the Product Details page of the IoT Platform console: The devices of the current product have multiple ClientIDs. You can retain one physical device or clear all physical devices.
- On the Product Details page, click View to view the security-compromised devices of the product.
- Choose View to go to the Device Details page. The ClientID for the current connection is displayed. Click Switch or Clear next to the ClientID.
. On the page that appears, find the device and click
- Switch: Select the ClientID from the drop-down list. Check the first connection time of
the device that corresponds to the ClientID, or click Log Service and view IoT Platform logs to determine whether the physical device needs to be retained.
Then, you can select the ClientID of the physical device that you want to retain,
and click OK. The physical devices that use other ClientIDs cannot be connected to IoT Platform.
For more information about IoT Platform logs, see IoT Platform logs.
- Clear: All physical devices cannot be connected to IoT Platform.
- Switch: Select the ClientID from the drop-down list. Check the first connection time of the device that corresponds to the ClientID, or click Log Service and view IoT Platform logs to determine whether the physical device needs to be retained. Then, you can select the ClientID of the physical device that you want to retain, and click OK. The physical devices that use other ClientIDs cannot be connected to IoT Platform.