All Products
Search

This Product

    ApsaraMQ for MQTT:Configure multi-domain certificates

    Document Center

    ApsaraMQ for MQTT:Configure multi-domain certificates

    Last Updated:Aug 01, 2025

    ApsaraMQ for MQTT allows you to configure multi-domain certificates. This topic describes how to configure a multi-domain certificate.

    Scenarios

    If multiple custom domain names are mapped to the domain name of an ApsaraMQ for MQTT instance using CNAME records, you must configure different server certificates for each custom domain name when using them to access the instance.

    Prerequisites

    • An ApsaraMQ for MQTT Enterprise Platinum Edition instance is created. Only this edition of instances supports the feature.

    • Multiple domain names are mapped to the domain name of the ApsaraMQ for MQTT instance using CNAME records. For more information, see CNAME record.

    • Mutual authentication is enabled for the ApsaraMQ for MQTT instance, and multiple server certificates are uploaded. For more information about server certificates, see Manage server certificates.

    Procedure

    Step 1: Start the service using a server certificate

    1. Log on to the ApsaraMQ for MQTT console. In the left-side navigation pane, click Instances.

    2. In the top navigation bar, select the region where the instance that you want to manage resides. On the Instances page, click the instance name to go to the Instance Details page.

    3. In the left-side navigation pane, choose Certificates > Server Certificate.

    4. Click the Mutual Authentication tab. In the dialog box that appears, select a server certificate and click Enable Service in the Actions column.

      • After you click Enable Service, the ApsaraMQ for MQTT instance is restarted. The restart requires approximately 5 to 10 minutes to complete. After the instance is restarted, clients can use the server certificate to authenticate the broker.

      • After you enable ApsaraMQ for MQTT, mutual authentication is enabled and one-way authentication is disabled on port 8883.

    5. In the message that appears, read the notes and click OK.

    Step 2: Make an API call to configure a multi-domain certificate

    • API operation

      OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

    • Request parameters

      Parameter

      Type

      Required

      Description

      Example

      MqttInstanceId

      string

      Yes

      The ID of the ApsaraMQ for MQTT instance.

      mqtt-cn-xxxxxx

      DefaultCertificate

      string

      Yes

      The ID of the default certificate.

      If the domain name that you access cannot match the certificates of the broker, the default certificate is returned.

      15xxxxxx-cn-hangzhou

      SniConfig

      string

      Yes

      The Server Name Indication (SNI) configuration. This parameter is used to map domain names and certificates.

      If the certificate of Domain Name A is A1 and the certificate of Domain Name B is B2, the value of this parameter is in the Domain Name A#ID of A1#Password of A1 (optional);Domain Name B#ID of B1#Password of B1 (optional) format.

      mqtt-test001.aliyuncs.com#15xxxxx-cn-hangzhou;mqtt-test002.aliyuncs.com#16xxxxx-cn-hangzhou

      You can obtain the certificate IDs and domain names in the value of the SniConfig parameter in the ApsaraMQ for MQTT console. In this example, the mqtt-test001.aliyuncs.com and mqtt-test002.aliyuncs.com test domain names are used.

      image

    • Response parameters

      If true is returned for Success, the configuration is successful. If false is returned for Success, the configuration failed.

      {
  "RequestId": "9B5505EB-D2F3-5258-886D-**********",
  "Success": "true"
}

    Step 3: Verify the multi-domain certificate locally

    1. Modify the hosts file to access multiple domain names. xxx.xxx.xxx.xxx indicates the IP address of the endpoint of the ApsaraMQ for MQTT instance.

      #	127.0.0.1       localhost
#	::1             localhost

xxx.xxx.xxx.xxx mqtt-test001.aliyuncs.com
xxx.xxx.xxx.xxx mqtt-test002.aliyuncs.com

    2. Use the sample code to test whether messages can be sent as expected and verify whether the multi-domain certificates are configured.

      Download the sample code mqtt-demo, replace the parameters in the MQ4IoTBiSSLProducerDemo.java class, and then run the code to test whether messages can be sent as expected.

      Note

      • Before using the sample code, you must configure the MQTT_AK_ENV and MQTT_SK_ENV environment variables. For information about how to configure these variables, see Configure an access credential.

      • You must create the topics and groups used in the code in advance.

      • Replace the endPoint parameter in the code with mqtt-test001.aliyuncs.com or mqtt-test002.aliyuncs.com configured in the hosts file for testing.

      If the following result is returned after you run the code using multiple domain names respectively, the multi-domain certificate takes effect.

      connect success
send msg succeed topic is : topic/testMq4Iot
send msg succeed topic is : topic/p2p/xxx

      You can also use a packet capture tool to verify whether the returned certificate is consistent with the SNI configuration. The following figure shows the returned certificate when mqtt-test002.aliyuncs.com is accessed.

      image