Bu sayfa henüz yerel dilinizde mevcut değildir. Daha fazla dil seçeneği eklemek için yoğun bir şekilde çalışıyoruz. Desteğiniz için teşekkür ederiz.

Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
Cloud Phone Host
Huawei Cloud EulerOS
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT Device Access
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
Distributed Database Middleware
Database and Application Migration UGO
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
Intelligent EdgeCloud
SAP Cloud
High Performance Computing
Developer Services
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
Help Center/ IoT Device Access/ Best Practices/ Device Access/ Connecting a Device That Uses the X.509 Certificate Based on MQTT.fx

Connecting a Device That Uses the X.509 Certificate Based on MQTT.fx

Updated on 2025-03-03 GMT+08:00

This section uses MQTT.fx as an example to describe how to connect devices to IoTDA using the native MQTT protocol. MQTT.fx is a widely used MQTT client. Using MQTT.fx, you can easily verify whether devices can interact with IoTDA to publish or subscribe to messages.

An X.509 certificate is a digital certificate used for communication entity authentication. IoTDA allows devices to use their X.509 certificates for authentication. The use of X.509 certificate authentication protects devices from being spoofed.



  • Only MQTT devices can use X.509 certificates for identity authentication.
  • You can upload a maximum of 100 device CA certificates.

X.509-based Authentication

  • The complete two-way certificate authentication is as follows:

  • Two-way certificate authentication:

Obtaining Device Access Information

Perform the following procedure to obtain device access information on the IoTDA console:

  1. Log in to the IoTDA console.
  2. In the navigation pane, choose Overview and click Access Details in the Instance Information area to check the device access information and record domain names and ports.

    Figure 1 Obtaining access information

    For devices that cannot be connected to the platform using a domain name, run the ping Domain name command in the CLI to obtain the corresponding IP address. Then you can connect the devices to the platform using the IP address. The IP address is variable and needs to be set using a configuration item.

Creating a Product

  1. Log in to the console, choose Products in the navigation pane, and click Create Product on the left.

    Figure 2 Creating a product

  2. Set the parameters as prompted and click OK.

    Basic Information

    Resource Space

    The platform automatically allocates the created product to the default resource space. You can also select an existing resource space from the drop-down list or create one.

    Product Name

    Customize the value. The name can contain letters, numbers, underscores (_), and hyphens (-).


    Select MQTT.

    Data Type

    Select JSON.


    Set this parameter as required.

    Device Type

    Set this parameter as required.

    Advanced Settings

    Product ID

    Set a unique identifier for the product. If this parameter is specified, the platform uses the specified product ID. If this parameter is not specified, the platform allocates a product ID.

    Figure 3 Creating a product - MQTT

Developing a Product Model

  1. Click the created product. The product details page is displayed.
  2. On the Basic Information tab page, click Customize Model to add services of the product.
  3. Add the Connectivity service.

    1. On the Add Service page, configure Service ID, Service Type, and Description, and click OK.
      • Service ID: Enter Connectivity.
      • Service Type: You are advised to set this parameter to the same value as Service ID.
      • Description: Enter Connectivity.
        Figure 4 Adding a service - Connectivity
    2. Choose Connectivity, click Add Property, enter related information, and click OK.
      • Property Name: Enter dailyActivityTime.
      • Data Type: Select Integer.
      • Access Permissions: Select Read.
      • Value Range: Set it to 0 to 65535.
      • Step: Enter 1.
      • Unit: Enter s.
        Figure 5 Adding a property - dailyActivityTime

  4. Add the Battery service.

    1. On the Basic Information tab page, click Add Service, configure Service ID, Service Type, and Description, and click OK.
      • Service ID: Enter Battery.
      • Service Type: You are advised to set this parameter to the same value as Service ID.
      • Description: Enter Battery.
        Figure 6 Adding a service - Battery
    2. Choose Battery, click Add Property, enter related information, and click OK.
      • Property Name: Enter batteryLevel.
      • Data Type: Select Integer.
      • Access Permissions: Select Read.
      • Value Range: Set it to 0–100.
      • Step: Enter 1.
      • Unit: Enter %.
        Figure 7 Adding a property - batteryLevel (Battery)

Uploading a Device CA certificate

  1. In the navigation pane, choose Devices > Device Certificates. On the Device CA Certificates tab page, select a resource space and click Upload Certificate.
  2. In the displayed dialog box, click Select File to add a file, and then click OK.

    Figure 8 Device CA certificate - Uploading a certificate
    • Device CA certificates are provided by device vendors. You can prepare a commissioning certificate during commissioning. For security reasons, you are advised to replace the commissioning certificate with a commercial certificate during commercial use.
    • CA certificates cannot be used to verify server certificates upon expiration. Replace these certificates before expiration dates to ensure that devices can connect to the IoT platform properly.

Making a Device CA Commissioning Certificate

This section uses the Windows operating system as an example to describe how to use OpenSSL to make a commissioning certificate. The generated certificate is in PEM format.

  1. Download and install OpenSSL.
  2. Open the CLI as user admin.
  3. Run cd c:\openssl\bin (replace c:\openssl\bin with the actual OpenSSL installation directory) to access the OpenSSL view.
  4. Generate a public/private key pair.
    openssl genrsa -out rootCA.key 2048
  5. Use the private key in the key pair to generate a CA certificate.
    openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

    The system prompts you to enter the following information. All the parameters can be customized.

    • Country Name (2 letter code) [AU]: country, for example, CN

    • State or Province Name (full name) []: state or province, for example, GD

    • Locality Name (for example, city) []: city, for example, SZ

    • Organization Name (for example, company) []: organization, for example, Huawei

    • Organizational Unit Name (for example, section) []: organization unit, for example, IoT

    • Common Name (e.g. server FQDN or YOUR name) []: common name, for example, zhangsan

    • Email Address []: email address, for example, 1234567@163.com

    Obtain the generated CA certificate rootCA.pem from the bin folder in the OpenSSL installation directory.

Uploading a Verification Certificate

If the uploaded certificate is a commissioning certificate, the certificate status is Unverified. In this case, upload a verification certificate to verify that you have the CA certificate.

Figure 9 Device CA certificate - Unverified certificate

The verification certificate is created based on the private key of the device CA certificate. Perform the following operations to create a verification certificate:

  1. Obtain the verification code to verify the certificate.

    Figure 10 Device CA certificate - Verifying a certificate
    Figure 11 Device CA certificate - Obtaining the verification code

  2. Generate a key pair for the verification certificate.

    openssl genrsa -out verificationCert.key 2048

  3. Create a certificate signing request (CSR) for the verification certificate.

    openssl req -new -key verificationCert.key -out verificationCert.csr

    The system prompts you to enter the following information. Set Common Name to the verification code and set other parameters as required.

    • Country Name (2 letter code) [AU]: country, for example, CN

    • State or Province Name (full name) []: state or province, for example, GD

    • Locality Name (for example, city) []: city, for example, SZ

    • Organization Name (for example, company) []: organization, for example, Huawei

    • Organizational Unit Name (for example, section) []: organization unit, for example, IoT

    • Common Name (e.g. server FQDN or YOUR name) []: verification code for verifying the certificate. For details on how to obtain the verification code, see 1.

    • Email Address []: email address, for example, 1234567@163.com

    • Password[]: password, for example, 1234321
    • Optional Company Name[]: company name, for example, Huawei

  4. Use the CSR to create a verification certificate.

    openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256

    Obtain the generated verification certificate verificationCert.pem from the bin folder of the OpenSSL installation directory.

  5. Locate the target certificate, click , and click Upload Verification Certificate.

    Figure 12 Device CA certificate - Verifying a certificate

  6. In the displayed dialog box, click Select File to add a file, and then click OK.

    Figure 13 Device CA certificate - Uploading a verified certificate

    After the verification certificate is uploaded, the certificate status changes to Verified, indicating that you have the CA certificate.

Presetting an X.509 Certificate

Before registering an X.509 device, preset the X.509 certificate issued by the CA on the device.


The X.509 certificate is issued by the CA. If no commercial certificate issued by the CA is available, you can create a device CA commissioning certificate.

Creating an X.509 Commissioning Certificate

  1. Run cmd as user admin to open the CLI and run cd c:\openssl\bin (replace c:\openssl\bin with the actual OpenSSL installation directory) to access the OpenSSL view.
  2. Generate a public/private key pair.
    openssl genrsa -out deviceCert.key 2048
  3. Create a CSR.
    openssl req -new -key deviceCert.key -out deviceCert.csr

    The system prompts you to enter the following information. All the parameters can be customized.

    • Country Name (2 letter code) [AU]: country, for example, CN

    • State or Province Name (full name) []: state or province, for example, GD

    • Locality Name (for example, city) []: city, for example, SZ

    • Organization Name (for example, company) []: organization, for example, Huawei

    • Organizational Unit Name (for example, section) []: organization unit, for example, IoT

    • Common Name (e.g. server FQDN or YOUR name) []: common name, for example, zhangsan

    • Email Address []: email address, for example, 1234567@163.com

    • Password[]: password, for example, 1234321
    • Optional Company Name[]: company name, for example, Huawei
  4. Create a device certificate using CSR.
    openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256

    Obtain the generated device certificate deviceCert.pem from the bin folder in the OpenSSL installation directory.

Registering a Device Authenticated by an X.509 Certificate

  1. Log in to the IoTDA console.
  2. In the navigation pane, choose Devices > All Devices, click Register Device, set parameters based on the table below, and click OK.

    Figure 14 Device - Registering an X.509 device



    Resource Space

    Select the resource space to which the device belongs.


    Select the product to which the device belongs.

    If no product is available, create a product first.

    Node ID

    Set this parameter to the IMEI, MAC address, or serial number of the device. If the device is not a physical one, set this parameter to a custom character string that contains letters and digits.

    Device Name

    Customize the device name.

    Authentication Type

    X.509 certificate: The device uses an X.509 certificate for identity verification.


    This parameter is displayed when Authentication Type is set to X.509 certificate. Import the fingerprint corresponding to the preset device certificate on the device side. You can run openssl x509 -fingerprint -sha256 -in deviceCert.pem in the OpenSSL view to query the fingerprint. Note: Delete the colon (:) from the obtained fingerprint when filling it.

Performing Connection Authentication

You can activate the device registered with the platform by using MQTT.fx. For details, see Device Connection Authentication.

  1. Download MQTT.fx (64-bit OS) or MQTT.fx (32-bit OS) and install it.

    • Install the latest MQTT.fx tool. Download it.
    • MQTT.fx 1.7.0 and earlier versions have problems in processing topics containing $. Use the latest version for test.

  2. Go to the IoTDA client ID generator page, enter the device ID and secret generated after registering a device to generate connection information (including ClientId, Username, and Password).


    You can set DeviceSecret to any value, for example, 12345678.

    Figure 15 Obtaining ClientId








    The value of this parameter consists of a device ID, device type, password signature type, and timestamp. They are separated by underscores (_).

    • Device ID: A device ID uniquely identifies a device and is generated when the device is registered with IoTDA. The value usually consists of a device's product ID and node ID which are separated by an underscore (_).
    • Device type: The value is fixed at 0, indicating a device ID.
    • Password signature type: The length is 1 byte, and the value can be 0 or 1.
      • 0: The timestamp is not verified using the HMAC-SHA256 algorithm.
      • 1: The timestamp is verified using the HMAC-SHA256 algorithm.
    • Timestamp: The UTC time when the device was connected to IoTDA. The format is YYYYMMDDHH. For example, if the UTC time is 2018/7/24 17:56:20, the timestamp is 2018072417.




    Device ID.

    Each device performs authentication using the MQTT CONNECT message, which must contain all information of the client ID. After receiving a CONNECT message, IoTDA checks the authentication type and password digest algorithm of the device.

    The generated client ID is in the format Device ID_0_0_Timestamp. By default, the timestamp is not verified.

    • If the timestamp needs to be verified using the HMAC-SHA256 algorithm, the platform checks whether the message timestamp is consistent with the platform time and then checks whether the password is correct.
    • If the timestamp does not need to be verified using the HMAC-SHA256 algorithm, the timestamp must also be contained in the CONNECT message, but the platform does not check whether the time is correct. In this case, only the password is checked.

    If the authentication fails, the platform returns an error message and automatically disconnects the MQTT connections.

  3. Open the MQTT.fx tool and click the setting icon.

    Figure 16 Settings

  4. Enter Connection Profile information.

    Figure 17 Using default settings for parameters on the General tab page



    Broker Address

    Enter the device access address (domain name) obtained from the IoTDA console. If the device cannot be connected using a domain name, enter the IP address obtained in 2.

    Broker Port

    Enter 8883.

    Client ID

    Enter the device client ID obtained in 2.

  5. Click User Credentials and specify User Name.

    Figure 18 Entering the device ID



    User Name

    Enter the device ID obtained in 2.


    Leave it blank when the X.509 certificate is used for authentication.

  6. Click SSL/TLS, set authentication parameters, and click Apply. Select Enable SSL/TLS, select Self signed certificates, and enter the certificate information.

    Figure 19 Setting SSL/TLS parameters

    CA File: corresponding CA certificate. Download the certificate from Obtaining Resources and load the PEM certificate.

    Client Certificate File: device certificate (deviceCert.pem).

    Client Key File: private key (deviceCert.key) of the device.

  7. Click Connect. If the device authentication is successful, the device is displayed online on the platform.

    Figure 20 Device list - Device online status

Reporting Data

Use MQTT.fx to report data to the platform. For details, see Reporting Device Properties in the API Reference.

If the device reports data through the MQTT channel, the data must be sent to the specified topic. The format of the topic for reporting the data is $oc/devices/{device_id}/sys/properties/report, where {device_id} is the device ID returned after device registration.

  1. Enter the API address in the format of "$oc/devices/{device_id}/sys/properties/report", for example, $oc/devices/5e4e2e92ac-164aefa8fouquan1/sys/properties/report.

    Figure 21 Entering the API address

  2. Enter the data to report.

    Request parameters








    Service data list. (For details, see the ServiceProperty structure below.)

    ServiceProperty structure








    Service ID.




    Service properties, which are defined in the product model of the device.




    UTC time when the device reports data. The format is yyyyMMddTHHmmssZ, for example, 20161219T114920Z.

    If this parameter is not carried in the reported data or is in incorrect format, the time when IoTDA receives the data is used.

    Example request

        "services": [{
                "service_id": "Connectivity",
                "properties": {
                    "dailyActivityTime": 57
                "event_time": "20151212T121212Z"
                "service_id": "Battery",
                "properties": {
                    "batteryLevel": 80
                "event_time": "20151212T121212Z"
    Figure 22 Example request

  3. Click Publish. Then you can check whether the device successfully reports data on the platform.

    Figure 23 Viewing reported property - batteryLevel

Sitemizi ve deneyiminizi iyileştirmek için çerezleri kullanırız. Sitemizde tarama yapmaya devam ederek çerez politikamızı kabul etmiş olursunuz. Daha fazla bilgi edinin





Selected Content

Submit selected content with the feedback