diff --git a/common/cluster-api/src/main/proto/queue.proto b/common/cluster-api/src/main/proto/queue.proto
index 405b96726a..ace1f3cf6d 100644
--- a/common/cluster-api/src/main/proto/queue.proto
+++ b/common/cluster-api/src/main/proto/queue.proto
@@ -903,36 +903,36 @@ message VersionControlResponseMsg {
 message TransportApiRequestMsg {
   ValidateDeviceTokenRequestMsg validateTokenRequestMsg = 1;
   ValidateDeviceX509CertRequestMsg validateX509CertRequestMsg = 2;
-  ValidateDeviceProfileX509CertRequestMsg validateProfileX509CertRequestMsg = 3;
-  GetOrCreateDeviceFromGatewayRequestMsg getOrCreateDeviceRequestMsg = 4;
-  GetEntityProfileRequestMsg entityProfileRequestMsg = 5;
-  LwM2MRequestMsg lwM2MRequestMsg = 6;
-  ValidateBasicMqttCredRequestMsg validateBasicMqttCredRequestMsg = 7;
-  ProvisionDeviceRequestMsg provisionDeviceRequestMsg = 8;
-  ValidateDeviceLwM2MCredentialsRequestMsg validateDeviceLwM2MCredentialsRequestMsg = 9;
-  GetResourceRequestMsg resourceRequestMsg = 10;
-  GetOtaPackageRequestMsg otaPackageRequestMsg = 11;
-  GetSnmpDevicesRequestMsg snmpDevicesRequestMsg = 12;
-  GetDeviceRequestMsg deviceRequestMsg = 13;
-  GetDeviceCredentialsRequestMsg deviceCredentialsRequestMsg = 14;
-  GetAllQueueRoutingInfoRequestMsg getAllQueueRoutingInfoRequestMsg = 15;
-  UpdateOrCreateDeviceX509CertRequestMsg updateOrCreateDeviceCertRequestMsg = 16;
+  GetOrCreateDeviceFromGatewayRequestMsg getOrCreateDeviceRequestMsg = 3;
+  GetEntityProfileRequestMsg entityProfileRequestMsg = 4;
+  LwM2MRequestMsg lwM2MRequestMsg = 5;
+  ValidateBasicMqttCredRequestMsg validateBasicMqttCredRequestMsg = 6;
+  ProvisionDeviceRequestMsg provisionDeviceRequestMsg = 7;
+  ValidateDeviceLwM2MCredentialsRequestMsg validateDeviceLwM2MCredentialsRequestMsg = 8;
+  GetResourceRequestMsg resourceRequestMsg = 9;
+  GetOtaPackageRequestMsg otaPackageRequestMsg = 10;
+  GetSnmpDevicesRequestMsg snmpDevicesRequestMsg = 11;
+  GetDeviceRequestMsg deviceRequestMsg = 12;
+  GetDeviceCredentialsRequestMsg deviceCredentialsRequestMsg = 13;
+  GetAllQueueRoutingInfoRequestMsg getAllQueueRoutingInfoRequestMsg = 14;
+  UpdateOrCreateDeviceX509CertRequestMsg updateOrCreateDeviceCertRequestMsg = 15;
+  ValidateDeviceProfileX509CertRequestMsg validateProfileX509CertRequestMsg = 16;
 }
 
 /* Response from ThingsBoard Core Service to Transport Service */
 message TransportApiResponseMsg {
   ValidateDeviceCredentialsResponseMsg validateCredResponseMsg = 1;
-  ValidateDeviceProfileCredentialsResponseMsg validateDeviceProfileResponseMsg = 2;
-  GetOrCreateDeviceFromGatewayResponseMsg getOrCreateDeviceResponseMsg = 3;
-  GetEntityProfileResponseMsg entityProfileResponseMsg = 4;
-  ProvisionDeviceResponseMsg provisionDeviceResponseMsg = 5;
-  GetSnmpDevicesResponseMsg snmpDevicesResponseMsg = 6;
-  LwM2MResponseMsg lwM2MResponseMsg = 7;
-  GetResourceResponseMsg resourceResponseMsg = 8;
-  GetOtaPackageResponseMsg otaPackageResponseMsg = 9;
-  GetDeviceResponseMsg deviceResponseMsg = 10;
-  GetDeviceCredentialsResponseMsg deviceCredentialsResponseMsg = 11;
-  repeated GetQueueRoutingInfoResponseMsg getQueueRoutingInfoResponseMsgs = 12;
+  GetOrCreateDeviceFromGatewayResponseMsg getOrCreateDeviceResponseMsg = 2;
+  GetEntityProfileResponseMsg entityProfileResponseMsg = 3;
+  ProvisionDeviceResponseMsg provisionDeviceResponseMsg = 4;
+  GetSnmpDevicesResponseMsg snmpDevicesResponseMsg = 5;
+  LwM2MResponseMsg lwM2MResponseMsg = 6;
+  GetResourceResponseMsg resourceResponseMsg = 7;
+  GetOtaPackageResponseMsg otaPackageResponseMsg = 8;
+  GetDeviceResponseMsg deviceResponseMsg = 9;
+  GetDeviceCredentialsResponseMsg deviceCredentialsResponseMsg = 10;
+  repeated GetQueueRoutingInfoResponseMsg getQueueRoutingInfoResponseMsgs = 11;
+  ValidateDeviceProfileCredentialsResponseMsg validateDeviceProfileResponseMsg = 12;
 }
 
 /* Messages that are handled by ThingsBoard Core Service */
diff --git a/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java b/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java
index ed2326946f..237ff86375 100644
--- a/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java
+++ b/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java
@@ -145,13 +145,8 @@ public class MqttSslHandlerProvider {
         @Override
         public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
             String deviceCN = SslUtil.parseCommonName(chain[0]);
-            String deviceCert;
-            String deviceCredentialsValue = SslUtil.getCertificateString(chain[0]);
-            try {
-                deviceCert = EncryptionUtil.getSha3Hash(SslUtil.getCertificateString(chain[0]));
-            } catch (CertificateEncodingException e) {
-                throw new RuntimeException(e);
-            }
+            String clientDeviceCertValue = SslUtil.getCertificateString(chain[0]);
+            String clientDeviceCertHash = EncryptionUtil.getSha3Hash(clientDeviceCertValue);
             String credentialsBody = null;
             for (X509Certificate cert : chain) {
                 try {
@@ -175,7 +170,8 @@ public class MqttSslHandlerProvider {
                                                         if (msg.isDeviceProfileFound()) {
                                                             transportService.process(DeviceTransportType.MQTT,
                                                                     TransportProtos.UpdateOrCreateDeviceX509CertRequestMsg.newBuilder()
-                                                                            .setHash(deviceCert)
+                                                                            .setHash(clientDeviceCertHash)
+                                                                            .setValue(clientDeviceCertValue)
                                                                             .setCommonName(deviceCN)
                                                                             .setDeviceProfileIdMSB(msg.getDeviceProfileId().getId().getMostSignificantBits())
                                                                             .setDeviceProfileIdLSB(msg.getDeviceProfileId().getId().getLeastSignificantBits())
@@ -183,7 +179,6 @@ public class MqttSslHandlerProvider {
                                                                     new TransportServiceCallback<>() {
                                                                         @Override
                                                                         public void onSuccess(ValidateDeviceCredentialsResponse msg) {
-                                                                            System.out.println("msg.getCredentials() = " + msg.getCredentials());
                                                                             credentialsBodyHolder[0] = msg.getCredentials();
                                                                             latch.countDown();
                                                                         }
@@ -216,7 +211,7 @@ public class MqttSslHandlerProvider {
                                 }
                             });
                     latch.await(10, TimeUnit.SECONDS);
-                    if (deviceCredentialsValue.equals(credentialsBodyHolder[0])) {
+                    if (clientDeviceCertValue.equals(credentialsBodyHolder[0])) {
                         credentialsBody = credentialsBodyHolder[0];
                         break;
                     }
diff --git a/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttTransportHandler.java b/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttTransportHandler.java
index 5044d5a35e..803a8ff3ca 100644
--- a/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttTransportHandler.java
+++ b/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttTransportHandler.java
@@ -849,7 +849,8 @@ public class MqttTransportHandler extends ChannelInboundHandlerAdapter implement
     private void processX509CertConnect(ChannelHandlerContext ctx, X509Certificate[] chain, MqttConnectMessage connectMessage) {
         try {
             String deviceCN = SslUtil.parseCommonName(chain[0]);
-            String deviceCertHash = EncryptionUtil.getSha3Hash(SslUtil.getCertificateString(chain[0]));
+            String clientDeviceCertValue = SslUtil.getCertificateString(chain[0]);
+            String clientDeviceCertHash = EncryptionUtil.getSha3Hash(clientDeviceCertValue);
             for (X509Certificate cert : chain) {
                 try {
                     String strCert = SslUtil.getCertificateString(cert);
@@ -872,7 +873,8 @@ public class MqttTransportHandler extends ChannelInboundHandlerAdapter implement
                                                         if (msg.isDeviceProfileFound()) {
                                                             transportService.process(DeviceTransportType.MQTT,
                                                                     TransportProtos.UpdateOrCreateDeviceX509CertRequestMsg.newBuilder()
-                                                                            .setHash(deviceCertHash)
+                                                                            .setHash(clientDeviceCertHash)
+                                                                            .setValue(clientDeviceCertValue)
                                                                             .setCommonName(deviceCN)
                                                                             .setDeviceProfileIdMSB(msg.getDeviceProfileId().getId().getMostSignificantBits())
                                                                             .setDeviceProfileIdLSB(msg.getDeviceProfileId().getId().getLeastSignificantBits())
diff --git a/dao/src/main/java/org/thingsboard/server/dao/sql/device/JpaDeviceCredentialsDao.java b/dao/src/main/java/org/thingsboard/server/dao/sql/device/JpaDeviceCredentialsDao.java
index a56a13c98a..01a746c9b8 100644
--- a/dao/src/main/java/org/thingsboard/server/dao/sql/device/JpaDeviceCredentialsDao.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/sql/device/JpaDeviceCredentialsDao.java
@@ -69,6 +69,6 @@ public class JpaDeviceCredentialsDao extends JpaAbstractDao<DeviceCredentialsEnt
 
     @Override
     public DeviceCredentials findByTenantIdAndDeviceName(TenantId tenantId, String deviceName) {
-        return DaoUtil.getData(deviceCredentialsRepository.findByTenantIdAndDeviceName(tenantId, deviceName));
+        return DaoUtil.getData(deviceCredentialsRepository.findByTenantIdAndDeviceName(tenantId.getId(), deviceName));
     }
 }
diff --git a/dao/src/main/resources/sql/schema-entities.sql b/dao/src/main/resources/sql/schema-entities.sql
index c4c3317009..9db17f87ee 100644
--- a/dao/src/main/resources/sql/schema-entities.sql
+++ b/dao/src/main/resources/sql/schema-entities.sql
@@ -271,75 +271,28 @@ CREATE TABLE IF NOT EXISTS device_profile (
     provision_type varchar(255),
     profile_data jsonb,
     description varchar,
-    search_text varchar
-(
-    255
-),
+    search_text varchar(255),
     is_default boolean,
     tenant_id uuid,
     firmware_id uuid,
     software_id uuid,
     default_rule_chain_id uuid,
     default_dashboard_id uuid,
-    default_queue_name varchar
-(
-    255
-),
+    default_queue_name varchar(255),
     provision_device_key varchar,
     certificate_value varchar;
     certificate_hash varchar,
-    certificate_regex_pattern varchar
-(
-    255
-),
+    certificate_regex_pattern varchar(255),
     external_id uuid,
-    CONSTRAINT device_profile_credentials_hash_unq_key UNIQUE
-(
-    certificate_hash
-),
-    CONSTRAINT device_profile_name_unq_key UNIQUE
-(
-    tenant_id,
-    name
-),
-    CONSTRAINT device_provision_key_unq_key UNIQUE
-(
-    provision_device_key
-),
-    CONSTRAINT device_profile_external_id_unq_key UNIQUE
-(
-    tenant_id,
-    external_id
-),
-    CONSTRAINT fk_default_rule_chain_device_profile FOREIGN KEY
-(
-    default_rule_chain_id
-) REFERENCES rule_chain
-(
-    id
-),
-    CONSTRAINT fk_default_dashboard_device_profile FOREIGN KEY
-(
-    default_dashboard_id
-) REFERENCES dashboard
-(
-    id
-),
-    CONSTRAINT fk_firmware_device_profile FOREIGN KEY
-(
-    firmware_id
-) REFERENCES ota_package
-(
-    id
-),
-    CONSTRAINT fk_software_device_profile FOREIGN KEY
-(
-    software_id
-) REFERENCES ota_package
-(
-    id
-)
-    );
+    CONSTRAINT device_profile_credentials_hash_unq_key UNIQUE (certificate_hash),
+    CONSTRAINT device_profile_name_unq_key UNIQUE (tenant_id, name),
+    CONSTRAINT device_provision_key_unq_key UNIQUE (provision_device_key),
+    CONSTRAINT device_profile_external_id_unq_key UNIQUE (tenant_id, external_id),
+    CONSTRAINT fk_default_rule_chain_device_profile FOREIGN KEY (default_rule_chain_id) REFERENCES rule_chain(id),
+    CONSTRAINT fk_default_dashboard_device_profile FOREIGN KEY (default_dashboard_id) REFERENCES dashboard(id),
+    CONSTRAINT fk_firmware_device_profile FOREIGN KEY (firmware_id) REFERENCES ota_package(id),
+    CONSTRAINT fk_software_device_profile FOREIGN KEY (software_id) REFERENCES ota_package(id)
+);
 
 DO
 $$
@@ -827,3 +780,8 @@ CREATE TABLE IF NOT EXISTS user_auth_settings (
     user_id uuid UNIQUE NOT NULL CONSTRAINT fk_user_auth_settings_user_id REFERENCES tb_user(id),
     two_fa_settings varchar
 );
+
+CREATE TABLE IF NOT EXISTS well_known_root_ca (
+    certificate_hash varchar NOT NULL CONSTRAINT cert_pkey PRIMARY KEY,
+    certificate_value varchar
+);