Skip to Main Content
Cumulocity IoT Feedback Portal
Status Future consideration
Categories Data in Motion
Created by Florian Huber
Created on Jun 22, 2021

Serve custom certificate on MQTT port 8883 when using custom domain

Currently when using a custom domain name the UI/REST AP is accessible by this custom domain name.

But the data ingestion by MQTT does not work using the same custom domain name because the certificate validation will fail on client side, because the returned certificate is not for the custom domain but - in our case - for *.emea.cumulocity.com.


NB: Turning off client side certificate validation, is of course - in general - a possibility, but our security department would not "like" it. Also in our case it's actually not possible since the MQTT stack used on our embedded device doesn't allow turning of cert validation.


Regarding why is this required:

  • For once this is inconsistent, requiring to remember two different domain names for the same "thing".

  • But also to remember a non-custom domain name containing "tricky" names like t738833.emea.cumulocity.com is a bit annoying.

  • Further, we have a business requirement stating that our customers should not be able to see the name Cumulocity anywhere, i.e. also not in the MQTT endpoint.


NB: See also ticket #5444457.

  • Attach files
  • Admin
    Nikolaus Neuerburg
    Reply
    |
    Aug 10, 2021

    Thanks a lot for the very comprehensive feedback.

    As MQTT is currently only used for device integration, the assumption was always that an end-user would never see the MQTT domain name. This seems to be not the case for your IoT solution. Could you elaborate a bit further on where a customer does see the domain for MQTT communication?