January 22, 2026 - MQTT Service enforces Common Name validation for certificate authentication

cumulocity · January 23, 2026, 7:07am

Context

Change Type: API change
Product area: Platform services
Component: MQTT
Deployed at: eu.latest.cumulocity.com, apj.cumulocity.com, jp.cumulocity.com, cumulocity.com, us.cumulocity.com, emea.cumulocity.com

Technical details

Build artifact: mqtt-service (0.9.44)

Description

Caution
This change only affects the new Cumulocity MQTT Service capability.

The existing Cumulocity Core MQTT capability is not affected.

Introduction

As previously announced, the Cumulocity MQTT Service now enforces Common Name (CN) validation during client certificate authentication.

This update strengthens identity assurance by ensuring a tight binding between a device’s identity and the certificate it presents. By requiring the certificate’s CN to match the MQTT client identifier, we significantly reduce the risk of certificate misuse across different devices.

What is changing?

When an MQTT client connects using certificate-based authentication, the platform now validates that the Common Name (CN) field in the provided certificate matches the MQTT Client ID.

To ensure backward compatibility and support for legacy migration patterns, the validation logic supports the following matching rules:

MQTT client ID format	Valid certificate CN	Description
`<deviceId>`	`CN = <deviceId>`	Standard format for new devices.
`d:<deviceId>`	`CN = <deviceId>` OR `CN = d:<deviceId>`	Supported for legacy SmartREST devices migrating to MQTT Service.

Any connection attempt where the certificate CN does not align with these rules will now be rejected with an authentication failure.

Impact and required actions

This is a breaking change for any environment where devices were previously using “generic” certificates or certificates where the CN did not strictly match the device identifier.

Existing devices: If your devices use certificates with mismatched CNs, they will no longer be able to connect. You must rotate these certificates to align with the device’s MQTT Client ID.
Certificate issuance: Update your provisioning workflows to ensure the Common Name field is automatically populated with the unique device identifier.
Authentication methods: This change specifically targets certificate-based authentication. Clients using username/password are unaffected.

Why we are making this change

Aligning the certificate identity with the protocol identity is a security best practice. It prevents “impersonation” scenarios where a valid certificate stolen from one device could be used to authenticate as a different device ID, ensuring higher integrity for your IoT data.

Topic	Replies	Views
December 2, 2025 - MQTT Service will enforce Common Name validation for certificate-authenticated clients Platform services mqtt , device-connectivity , platform-services , Announcement	13	December 3, 2025
December 11, 2025 - Improved device certificate enrollment validation Platform services authentication , platform-services , Improvement	6	December 12, 2025
January 23, 2026 - Removal of deprecated features from the MQTT Service Platform services mqtt , device-connectivity , platform-services , Announcement	11	January 24, 2026
July 30, 2024 - Added support for device certificate authentication Platform services authentication , platform-services , Feature	9	March 17, 2025
August 7, 2025 - MQTT Service device isolation is enabled by default Platform services mqtt , device-connectivity , platform-services , Api-change	20	August 8, 2025