![Ayyekas-Logo_Horizontal-1062x400.png]](https://www.ayyeka.com/hs-fs/hubfs/Ayyekas-Logo_Horizontal-1062x400.png?height=40&name=Ayyekas-Logo_Horizontal-1062x400.png){kind=logo}
TLS/mTLS Certificates for Wavelet Connectivity (MQTT and HTTPS)
Wavelets running the RED Support firmware branch support TLS and mTLS for both MQTT and HTTPS. This article explains which certificates are used, where they are installed (Wavelet vs server), and who can sign them (Ayyeka or the customer), including the per-device CSR process for mTLS.
What certificates exist (and where they live)
| Mode | Wavelet (device) stores | Server (MQTT/HTTPS) stores |
|---|---|---|
| One-way TLS (server-authenticated) | Server CA certificate (trust anchor) | Server certificate + private key |
| mTLS (mutual TLS) | Device certificate + private key, Server CA certificate (trust anchor) | Server certificate + private key, Device CA certificate (trust anchor) |
Clarifications (CA vs cert, keys)
| Term | What it means | Who holds the private key |
|---|---|---|
| Server CA | CA that signs the server certificate; Wavelet trusts this CA to validate the server | CA owner only (never shared) |
| Server certificate | Identity certificate presented by the MQTT/HTTPS server | Server/broker only |
| Device CA | CA that signs device (client) certificates; server trusts this CA to validate devices | CA owner only (never shared) |
| Device certificate (mTLS) | Per-device client certificate presented by the Wavelet | Wavelet/device only |
Notes:
-
CA private keys are never shared. Only CA public certificates are distributed.
-
The Wavelet private key remains on the device and is not shared.
Who signs which certificates (Ayyeka vs Customer)
Rule: the owner of the CA signs certificates issued under that CA.
| Server CA owner (signs server cert) | Device CA owner (signs device certs) | Typical fit |
|---|---|---|
| Customer | Customer | Customer owns full PKI (most control) |
| Customer | Ayyeka | Customer controls server identity; Ayyeka manages device PKI |
| Ayyeka | Customer | Less common; customer manages device PKI |
| Ayyeka | Ayyeka | Fastest for Ayyeka; usually less desired by customers |
Per-device certificate issuance (CSR flow) for mTLS
-
Ayyeka flashes devices with RED Support firmware and generates a CSR per device (via AKG).
-
Ayyeka sends the per-device CSRs to the Device CA owner (Customer or Ayyeka, depending on the selected model).
-
Device CA owner signs the CSRs and returns the signed device certificates (and chain if applicable).
-
Ayyeka provisions the signed device certificates onto the matching devices and continues manufacturing/shipping.
Server-side requirement to enable mTLS
To enable mTLS, the server (MQTT broker / HTTPS server) must be configured to:
-
Present its server certificate, and
-
Require a client certificate and trust the Device CA certificate.