ApsaraMQ for MQTT allows you to use X.509 certificates for mutual authentication. Server certificates and device certificates are used to authenticate ApsaraMQ for MQTT brokers and clients. This topic describes how to manage certificates in the ApsaraMQ for MQTT console.
Usage notes
Only Enterprise Platinum Edition instances support mutual authentication.
Background information
Authenticate brokers on clients
ApsaraMQ for MQTT clients use server certificates to authenticate ApsaraMQ for MQTT brokers. A client can connect to a broker only if the server certificate passes validation. To use a server certificate, you must purchase or issue the certificate, host the certificate in Certificate Management Service, and then restart the ApsaraMQ for MQTT instance for the certificate to take effect.
For more information, see Manage server certificates.
Authenticate clients on brokers
ApsaraMQ for MQTT brokers use device certificates to authenticate ApsaraMQ for MQTT brokers. When a client initiates a request to connect to a broker, the client interacts with the broker based on TLS 1.2. During the interaction process, the client passes the device certificate to the broker and the broker validates the certificate based on the Certificate Authority (CA) certificate that the client registered with the broker. The client can connect to the broker only if the device certificate passes validation.