All Products
Search
Document Center

IoT Platform:Unique-certificate-per-product verification

Last Updated:Sep 01, 2023

If you use unique-certificate-per-product verification, the same product certificate is burned to all devices of a product. The product certificate information includes the ProductKey and ProductSecret. When a device initiates an activation request, IoT Platform verifies the device. If the device passes the verification, IoT Platform sends the required information for the device to connect to IoT Platform.

Background information

The following unique-certificate-per-product verification methods are supported: pre-registration unique-certificate-per-product verification and preregistration-free unique-certificate-per-product verification. The following table describes the differences between the verification methods.

Important
  • If you use unique-certificate-per-product verification, the certificate information may be disclosed because all devices of a product have the same certificate information. On the Product Details page, you can turn off Dynamic Registration to reject verification requests from new devices.

  • If you dynamically register the devices based on unique-certificate-per-product verification, you must use Transport Layer Security (TLS) encryption. If your device SDK does not support TLS encryption, you must use the Unique-certificate-per-device verification method.

Item

Preregistration-free unique-certificate-per-product verification

Pre-registration unique-certificate-per-product verification

Protocol

Message Queuing Telemetry Transport (MQTT)

HTTPS and MQTT

Supported regions

China (Shanghai) and China (Beijing)

  • HTTP protocol: all regions except the China (Beijing) and China (Shenzhen) regions.

  • MQTT protocol: all regions that are supported by IoT Platform.

Supported instance types

Enterprise Edition instances

Enterprise Edition instances and public instances

Features

You do not need to pre-register the DeviceName of a device in IoT Platform.

You must pre-register the DeviceName of a device in IoT Platform.

The sub-devices of a gateway support only pre-registration unique-certificate-per-product verification.

Limits

Up to five physical devices that have the same ProductKey, ProductSecret, and DeviceName can be activated in the IoT Platform console. Each device has a unique ClientID and DeviceToken.

  • A device certificate can be used to activate only one physical device.

    If Device A is activated by using a DeviceName but Device B must use the DeviceName, you can delete Device A in the IoT Platform console and disable the DeviceSecret of Device A. This way, you can use the DeviceName to add and activate Device B.

  • If a device needs to be reactivated because the DeviceSecret is lost, you must call the ResetThing operation to reset the device status to Inactive. Then, you can reactivate the device. In this case, the DeviceSecret that is issued by IoT Platform remains unchanged.

Process

The following figure shows the unique-certificate-per-product verification process.

一型一密流程

Dynamic registration for directly connected devices

Directly connected devices can be dynamically registered by using pre-registration unique-certificate-per-product verification or preregistration-free unique-certificate-per-product verification.

Pre-registration unique-certificate-per-product verification

  1. Create a product: When you create a product, set the Node Type parameter to Directly Connected Device.

  2. Enable dynamic registration. On the Product Details page, turn on the Dynamic Registration switch.

    IoT Platform sends an SMS verification code to verify your identity.

    Note

    If dynamic registration is disabled when devices initiate activation requests, IoT Platform rejects the requests. Activated devices are not affected.

    开启动态注册
  3. Create a device or create multiple devices at the same time. If you use pre-registration unique-certificate-per-product verification, you must add one or more devices to an existing product.

    • IoT Platform verifies the DeviceName when a device initiates an activation request. We recommend that you use an identifier that can be obtained from the device as the DeviceName. The identifier can be the MAC address, International Mobile Equipment Identity (IMEI) number, or serial number (SN) of the device.

    • After a device is added, IoT Platform issues a DeviceSecret to the device. The initial status of the device is Inactive.

  4. Burn the device certificate on the device: Develop the device SDK to complete the step.

    1. Select the protocol that is used to connect the device to IoT Platform. Valid values: MQTT and HTTPS.

      The following topics describe how to register and verify a device:

    2. Develop a device SDK based on your business requirements. For example, you can develop the following features: communication by using topics defined in the Thing Specification Language (TSL) model, communication by using custom topics, over-the-air (OTA) updates, and device shadows.

      For more information about device-side development, see Use a device SDK to connect a device to IoT Platform.

      Important

      If you use Link SDK for C provided by IoT Platform, you must use Link SDK for C of version 4.x on your device. The SDK integrates the device verification service (DAS) that allows you to manage the security risks of devices.

      If you do not use Link SDK for C of version 4.x on your device, Alibaba Cloud shall not be liable for security risks that may arise.

    3. Burn the developed device SDK on the device in the production line.

  5. Power on the device and connect the device to IoT Platform. The device sends a verification request that contains the ProductKey, ProductSecret, and DeviceName.

  6. Activate the device in IoT Platform.

    After IoT Platform verifies the device, IoT Platform delivers the DeviceSecret that is issued in Step 3 to the device. The device obtains the device certificate (ProductKey, DeviceName, and DeviceSecret). Then, the device can use the certificate to connect to IoT Platform.

Preregistration-free unique-certificate-per-product verification

  1. Create a product: When you create a product, set the Node Type parameter to Directly Connected Device.

  2. Enable dynamic registration. On the Product Details page of an existing product, turn on Dynamic Registration.

    IoT Platform sends an SMS verification code to verify your identity.

    Note

    If dynamic registration is disabled when devices initiate activation requests, IoT Platform rejects the requests. Activated devices are not affected.

    开启动态注册
  3. Burn the device certificate on the device: Develop a device SDK to complete the step.

    1. Select the protocol that is used to connect the device to IoT Platform. Valid value: MQTT.

      To register and verify a device, see MQTT-based dynamic registration.

    2. Develop a device SDK based on your business requirements. For example, you can develop the following features: communication by using topics defined in the TSL model, communication by using custom topics, OTA updates, and device shadows.

      For more information about device-side development, see Use a device SDK to connect a device to IoT Platform.

      Important

      If you use Link SDK for C provided by IoT Platform, you must use Link SDK for C of version 4.x on your device. This SDK integrates the DAS that allows you to manage the security risks of devices.

      If you do not use Link SDK for C of version 4.x on your device, Alibaba Cloud shall not be liable for security risks that may arise.

    3. Burn the developed device SDK on the device in the production line.

  4. Power on the device and connect the device to IoT Platform. The device sends a verification request that contains the ProductKey, ProductSecret, and DeviceName.

  5. Activate the device in IoT Platform.

    • After IoT Platform verifies the device, IoT Platform issues the ClientID and DeviceToken to the device. Then, the device uses the ProductKey, ProductSecret, ClientID, and DeviceToken to connect to IoT Platform.

    • A DeviceName can be used for multiple physical devices that have different ClientIDs. In this case, the following message appears on the Product Details page of the IoT Platform console: The devices of the current product have multiple ClientIDs. To retain one physical device or clear all physical devices, perform the following steps:

      1. On the Product Details page, click View next to the message to view the security-compromised devices of the product.

      2. Choose Devices > Devices. On the page that appears, find the device and click View to go to the Device Details page. The ClientID for the current connection is displayed. Click Switch or Clear next to the ClientID.

        • Switch: Select the ClientID from the drop-down list. Check the first connection time of the device that corresponds to the ClientID, or click Log Service and view IoT Platform logs to check whether the physical device must be retained. Then, select the ClientID of the physical device that you want to retain, and click OK. The physical devices that use other ClientIDs cannot be connected to IoT Platform.

          Note

          For more information about IoT Platform logs, see IoT Platform logs.

        • Clear: All physical devices cannot be connected to IoT Platform.

Dynamic registration for sub-devices

Important

The dynamic registration methods for gateways are the same as the dynamic registration methods for directly connected devices. However, sub-devices of gateways can be dynamically registered only by using the pre-registration unique-certificate-per-product verification method. To complete dynamic registration for a sub-device, perform the following steps:

  1. Create a product: Create a product for a gateway and a product for a sub-device. When you create a product for the gateway, set the Node Type parameter to Gateway Device. When you create a product for the sub-device, set the Node Type parameter to Gateway Sub-device.

  2. Enable dynamic registration. On the Product Details page of the product to which the gateway and the sub-device belong, turn on Dynamic Registration.

    IoT Platform sends an SMS verification code to verify your identity.

    Note

    If dynamic registration is disabled when devices initiate activation requests, IoT Platform rejects the requests. Activated devices are not affected.

  3. Add one or more devices to the product to which the gateway and the sub-device belong. For more information, see Create multiple devices at a time or Create a device.

    • IoT Platform verifies the DeviceName when a device initiates an activation request. We recommend that you use an identifier that can be obtained from the device as the DeviceName. The identifier can be the MAC address, International Mobile Equipment Identity (IMEI) number, or serial number (SN) of the device.

    • After a device is added, IoT Platform issues a DeviceSecret to the device. The initial status of the device is Inactive.

  4. Perform the following steps to burn the device certificate to the sub-device.

    1. Configure the device certificate and endpoint of the gateway, and use the Link SDK of the gateway to initialize an instance to manage the sub-device. Then, configure the topological relationship between the gateway and the sub-device and register the sub-device. For more information, see MQTT-based dynamic registration and MQTT-based dynamic registration for sub-devices.

      For more information about how to manage topological relationships between gateways and sub-devices, see Manage topological relationships.

    2. Develop a device SDK based on your business requirements. For example, you can develop a feature to allow the gateway to implement messaging for the sub-device.

      For more information about device-side development, see Use a device SDK to connect a device to IoT Platform.

    3. Burn the device SDK of the gateway and the ProductKey of the sub-device to the gateway, and burn the sub-device certificate to the sub-device in the production line.

  5. Power on the gateway and sub-device and connect them to IoT Platform. The gateway sends a verification request that contains the ProductKey and DeviceName of the sub-device to IoT Platform.

  6. Activate the gateway and sub-device in the IoT Platform console.

    For more information about how to activate a gateway, see Dynamic registration for directly connected devices. For more information about how to connect a sub-device to IoT Platform by using a gateway, see Connect or disconnect sub-devices.