If you use unique-certificate-per-product authentication, the same product certificate is burned to all devices of a product. The product certificate information includes ProductKey and ProductSecret. When a device initiates an activation request, IoT Platform authenticates the device. If the device passes the authentication, IoT Platform sends the information that the device requires to connect with IoT Platform.

Background information

The following types of unique-certificate-per-product authentication are available: pre-registration unique-certificate-per-product authentication and preregistration-free unique-certificate-per-product authentication. The following table describes the differences between the two types of authentication methods.

Notice
  • If you use unique-certificate-per-product authentication, the product certificate may be disclosed because all devices of a product have the same certificate information. On the Product Details page, you can turn off the Dynamic Registration switch to reject authentication requests from new devices.
  • Transport Layer Security (TLS) encryption must be used if you dynamically register the devices based on unique-certificate-per-product authentication. If your device SDK cannot use TLS encryption, you must use the Unique-certificate-per-device authentication method.
Item Preregistration-free unique-certificate-per-product authentication Pre-registration unique-certificate-per-product authentication
Protocol MQTT HTTP and MQTT
Supported regions China (Shanghai)
  • HTTP protocol: all regions except China (Beijing) and China (Shenzhen).
  • MQTT protocol: all regions that are supported by IoT Platform.
Feature You do not need to pre-register the DeviceName of a device in IoT Platform. For more information, see the following "Procedure" section. You must pre-register the DeviceName of a device in IoT Platform. For more information, see the following "Procedure" section.
Limit A maximum of five physical devices can be activated in IoT Platform with the same ProductKey, ProductSecret, and DeviceName. Each device has a unique ClientID and DeviceToken.
  • A device certificate can be used to activate only one physical device.

    If Device A is activated by using a DeviceName but Device B must use this DeviceName, you can delete device A from IoT Platform and invalidate the DeviceSecret of Device A. Then, you can use the DeviceName to add and activate Device B.

  • If a device needs to be reactivated due to the loss of DeviceSecret, you must call the ResetThing operation to reset the device status to Inactive. Then, you can reactivate the device. In this case, the DeviceSecret that is issued by IoT Platform remains unchanged.

Process

The following figure shows the process of unique-certificate-per-product authentication.

Process of unique-certificate-per-product authentication

Procedure

  1. Create a product: Create a product in the IoT Platform console .
  2. Enable dynamic registration. On the Product Details page, turn on the Dynamic Registration switch.
    IoT Platform sends an SMS verification code to confirm your identity.
    Note If dynamic registration is disabled when devices initiate activation requests, IoT Platform rejects the requests. Activated devices are not affected.
    Enable dynamic registration
  3. Optional:Add a device. If you use pre-registration unique-certificate-per-product authentication, you must add one or more devices to the created product. For more information, see Create multiple devices at a time or Create a device.
    IoT Platform authenticates the DeviceName when a device initiates an activation request. We recommend that you use an identifier that can be obtained from the device as the DeviceName. The identifier can be the MAC address, International Mobile Equipment Identity (IMEI) number, or serial number (SN) of the device.

    After a device is added, IoT Platform issues a DeviceSecret to the device. The initial status of the device is Inactive.

  4. Burn the device SDK on the production line.
    For more information about how to develop the device SDK for C, see Link SDK.
    1. Download the device SDK for C.
    2. Initialize the device SDK and enable dynamic registration. In the device SDK, specify the ProductKey and ProductSecret.
      For more information, see MQTT-based dynamic registration.
    3. Develop the device SDK based on your business requirements. For example, you can develop the following features: over-the-air (OTA) update, sub-device connection, Thing Specification Language (TSL) model, and device shadows.
      For more information, see Link SDK.
    4. Burn the developed device SDK to the device on the production line.
  5. Connect the device to IoT Platform.
    Power on the device and connect it to IoT Platform. Then, the device carries the ProductKey, ProductSecret, and DeviceName to initiate an authentication request. For more information, see MQTT-based dynamic registration and HTTP-based dynamic device registration.
  6. Activate the device in IoT Platform.
    • Pre-registration unique-certificate-per-product authentication: After IoT Platform authenticates the device, IoT Platform delivers the DeviceSecret that is issued in Step 3 to the device. The device obtains the device certificate (ProductKey, DeviceName, and DeviceSecret). Then, the device can use the certificate to establish a connection with IoT Platform.
    • Preregistration-free unique-certificate-per-product authentication: After IoT Platform authenticates the device, IoT Platform issues the ClientID and DeviceToken to the device. Then, the device uses the ProductKey and ProductSecret, ClientID, and DeviceToken to establish a connection with IoT Platform.

      A DeviceName may be used for multiple physical devices that have different ClientIDs. In this case, the following message appears on the Product Details page of the IoT Platform console: The devices of the current product have multiple ClientIDs. You can retain one physical device or clear all physical devices.

      1. On the Product Details page, click View to view the security-compromised devices of the product.
      2. Choose Devices > Devices. On the page that appears, find the device and click View to go to the Device Details page. The ClientID for the current connection is displayed. Click Switch or Clear next to the ClientID.
        • Switch: Select the ClientID from the drop-down list. Check the first connection time of the device that corresponds to the ClientID, or click Log Service and view IoT Platform logs to determine whether the physical device needs to be retained. Then, you can select the ClientID of the physical device that you want to retain, and click OK. The physical devices that use other ClientIDs cannot be connected to IoT Platform.

          For more information about IoT Platform logs, see IoT Platform logs.

        • Clear: All physical devices cannot be connected to IoT Platform.