December 2, 2025 - MQTT Service will enforce Common Name validation for certificate-authenticated clients

cumulocity · December 3, 2025, 7:05am

Context

Change Type: Announcement
Product area: Platform services
Component: MQTT

Technical details

Build artifact: mqtt-service

Description

Caution
This change only affects the new Cumulocity MQTT Service capability.

The existing Cumulocity Core MQTT capability is not affected.

Introduction

To strengthen identity assurance for certificate-authenticated MQTT clients, the Cumulocity MQTT Service will begin enforcing Common Name (CN) validation during client certificate authentication.

Currently, the MQTT Service accepts certificates where the CN does not match the MQTT client ID.
After this change, the CN must match the client ID used during connection.
This tight binding of certificates to devices will significantly reduce the risk of certificate misuse.

What is changing?

When an MQTT client connects using certificate-based authentication, the Common Name (CN) in the certificate must match the MQTT device ID.

MQTT clients may identify themselves using either of the following client ID formats:

<deviceId> – standard format
d:<deviceId> – supported only for legacy SmartREST devices migrating to the MQTT Service. This format must not be used for new devices.

However, in both cases, the certificate’s CN must be:

CN == <deviceId>

Any certificate whose CN does not equal the device ID will fail authentication.

Only certificate-authenticated clients are affected; all other authentication methods remain unchanged.

Impact on existing MQTT clients

This is a breaking change.
Devices using certificates whose CN does not match the device ID will fail authentication once enforcement begins.

Customers should verify and update their certificate issuance processes during the grace period.

Please contact Cumulocity Support if you have any questions or concerns about these changes.

Roll-out plan

Info
Because the Cumulocity MQTT Service is currently in Public Preview, it is not subject to the standard 6-month compatibility notice period defined in the Cumulocity IoT Compatibility policy.

To allow a smooth transition, CN validation will be introduced no sooner than four weeks after this announcement.

Topic	Replies	Views
December 11, 2025 - Improved device certificate enrollment validation Platform services authentication , platform-services , Improvement	2	December 12, 2025
July 21, 2025 - MQTT Service will enforce device isolation Platform services mqtt , device-connectivity , platform-services , Announcement	20	July 19, 2025
August 7, 2025 - MQTT Service device isolation is enabled by default Platform services mqtt , device-connectivity , platform-services , Api-change	20	August 8, 2025
May 9, 2025 - MQTT Service Public Preview release Platform services mqtt , device-connectivity , platform-services , Preview	72	May 9, 2025
July 30, 2024 - Added support for device certificate authentication Platform services authentication , platform-services , Feature	8	March 17, 2025