Refactor x509: add logic of rotating x509 credentials and creating new device to DeviceProvisionService

3 years ago · 55adb3d12a
21 changed files with 188 additions and 247 deletions
--- a/application/src/main/data/upgrade/3.4.4/schema_update.sql
+++ b/application/src/main/data/upgrade/3.4.4/schema_update.sql
@ -424,16 +424,6 @@ $$;
 -- ALARM FUNCTIONS END


-- DEVICE PROFILE CERTIFICATE START
-
-ALTER TABLE device_profile
-    ADD COLUMN IF NOT EXISTS certificate_hash varchar,
-    DROP CONSTRAINT IF EXISTS device_profile_credentials_hash_unq_key,
-    ADD CONSTRAINT device_profile_credentials_hash_unq_key UNIQUE (certificate_hash);
-
-- DEVICE PROFILE CERTIFICATE END
-
-
 -- TTL DROP PARTITIONS FUNCTIONS UPDATE START

 DROP PROCEDURE IF EXISTS drop_partitions_by_max_ttl(character varying, bigint, bigint);
--- a/application/src/main/java/org/thingsboard/server/service/device/DeviceProvisionServiceImpl.java
+++ b/application/src/main/java/org/thingsboard/server/service/device/DeviceProvisionServiceImpl.java
@ -20,7 +20,6 @@ import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.google.common.util.concurrent.ListenableFuture;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.thingsboard.common.util.JacksonUtil;
 import org.thingsboard.server.cluster.TbClusterService;
@ -29,6 +28,7 @@ import org.thingsboard.server.common.data.Device;
 import org.thingsboard.server.common.data.DeviceProfile;
 import org.thingsboard.server.common.data.StringUtils;
 import org.thingsboard.server.common.data.audit.ActionType;
+import org.thingsboard.server.common.data.device.profile.X509CertificateChainProvisionConfiguration;
 import org.thingsboard.server.common.data.id.CustomerId;
 import org.thingsboard.server.common.data.id.TenantId;
 import org.thingsboard.server.common.data.id.UserId;
@ -36,15 +36,19 @@ import org.thingsboard.server.common.data.kv.AttributeKvEntry;
 import org.thingsboard.server.common.data.kv.BaseAttributeKvEntry;
 import org.thingsboard.server.common.data.kv.StringDataEntry;
 import org.thingsboard.server.common.data.security.DeviceCredentials;
+import org.thingsboard.server.common.data.security.DeviceCredentialsType;
+import org.thingsboard.server.common.msg.EncryptionUtil;
 import org.thingsboard.server.common.msg.TbMsg;
 import org.thingsboard.server.common.msg.TbMsgMetaData;
 import org.thingsboard.server.common.msg.queue.ServiceType;
 import org.thingsboard.server.common.msg.queue.TopicPartitionInfo;
+import org.thingsboard.server.common.transport.util.SslUtil;
 import org.thingsboard.server.dao.attributes.AttributesService;
 import org.thingsboard.server.dao.audit.AuditLogService;
 import org.thingsboard.server.dao.device.DeviceCredentialsService;
 import org.thingsboard.server.dao.device.DeviceDao;
 import org.thingsboard.server.dao.device.DeviceProfileDao;
+import org.thingsboard.server.dao.device.DeviceProfileService;
 import org.thingsboard.server.dao.device.DeviceProvisionService;
 import org.thingsboard.server.dao.device.DeviceService;
 import org.thingsboard.server.dao.device.provision.ProvisionFailedException;
@ -77,35 +81,23 @@ public class DeviceProvisionServiceImpl implements DeviceProvisionService {
    private static final String DEVICE_PROVISION_STATE = "provisionState";
    private static final String PROVISIONED_STATE = "provisioned";

-    @Autowired
-    TbClusterService clusterService;
+    private final TbClusterService clusterService;
+    private final DeviceProfileService deviceProfileService;
+    private final DeviceService deviceService;
+    private final DeviceCredentialsService deviceCredentialsService;
+    private final AttributesService attributesService;
+    private final AuditLogService auditLogService;
+    private final PartitionService partitionService;

-    @Autowired
-    DeviceDao deviceDao;
-
-    @Autowired
-    DeviceProfileDao deviceProfileDao;
-
-    @Autowired
-    DeviceService deviceService;
-
-    @Autowired
-    DeviceCredentialsService deviceCredentialsService;
-
-    @Autowired
-    AttributesService attributesService;
-
-    @Autowired
-    DeviceStateService deviceStateService;
-
-    @Autowired
-    AuditLogService auditLogService;
-
-    @Autowired
-    PartitionService partitionService;
-
-    public DeviceProvisionServiceImpl(TbQueueProducerProvider producerProvider) {
+    public DeviceProvisionServiceImpl(TbQueueProducerProvider producerProvider, TbClusterService clusterService, DeviceDao deviceDao, DeviceProfileDao deviceProfileDao, DeviceProfileService deviceProfileService, DeviceService deviceService, DeviceCredentialsService deviceCredentialsService, AttributesService attributesService, DeviceStateService deviceStateService, AuditLogService auditLogService, PartitionService partitionService) {
        ruleEngineMsgProducer = producerProvider.getRuleEngineMsgProducer();
+        this.clusterService = clusterService;
+        this.deviceProfileService = deviceProfileService;
+        this.deviceService = deviceService;
+        this.deviceCredentialsService = deviceCredentialsService;
+        this.attributesService = attributesService;
+        this.auditLogService = auditLogService;
+        this.partitionService = partitionService;
    }

    @Override
@ -124,14 +116,14 @@ public class DeviceProvisionServiceImpl implements DeviceProvisionService {
            throw new ProvisionFailedException(ProvisionResponseStatus.NOT_FOUND.name());
        }

-        DeviceProfile targetProfile = deviceProfileDao.findByProvisionDeviceKey(provisionRequestKey);
+        DeviceProfile targetProfile = deviceProfileService.findDeviceProfileByProvisionDeviceKey(provisionRequestKey);

        if (targetProfile == null || targetProfile.getProfileData().getProvisionConfiguration() == null ||
                targetProfile.getProfileData().getProvisionConfiguration().getProvisionDeviceSecret() == null) {
            throw new ProvisionFailedException(ProvisionResponseStatus.NOT_FOUND.name());
        }

-        Device targetDevice = deviceDao.findDeviceByTenantIdAndName(targetProfile.getTenantId().getId(), provisionRequest.getDeviceName()).orElse(null);
+        Device targetDevice = deviceService.findDeviceByTenantIdAndName(targetProfile.getTenantId(), provisionRequest.getDeviceName());

        switch (targetProfile.getProvisionType()) {
            case ALLOW_CREATE_NEW_DEVICES:
@ -155,6 +147,22 @@ public class DeviceProvisionServiceImpl implements DeviceProvisionService {
                    }
                }
                break;
+            case X509_CERTIFICATE_CHAIN:
+                X509CertificateChainProvisionConfiguration x509Configuration = (X509CertificateChainProvisionConfiguration) targetProfile.getProfileData().getProvisionConfiguration();
+                if (targetDevice != null && targetDevice.getDeviceProfileId().equals(targetProfile.getId())) {
+                    DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(targetDevice.getTenantId(), targetDevice.getId());
+                    if (deviceCredentials.getCredentialsType() == DeviceCredentialsType.X509_CERTIFICATE) {
+                        String updatedDeviceCertificateValue = provisionRequest.getCredentialsData().getX509CertHash();
+                        deviceCredentials = updateDeviceCredentials(targetDevice.getTenantId(), deviceCredentials,
+                                updatedDeviceCertificateValue, DeviceCredentialsType.X509_CERTIFICATE);
+                    }
+                    return new ProvisionResponse(deviceCredentials, ProvisionResponseStatus.SUCCESS);
+                } else if (x509Configuration.isAllowCreateNewDevicesByX509Certificate()) {
+                    return createDevice(provisionRequest, targetProfile);
+                } else {
+                    log.info("Device doesn't exist and cannot be created due incorrect configuration for X509CertificateChainProvisionConfiguration");
+                    throw new ProvisionFailedException(ProvisionResponseStatus.NOT_FOUND.name());
+                }
        }
        throw new ProvisionFailedException(ProvisionResponseStatus.NOT_FOUND.name());
    }
@ -209,6 +217,14 @@ public class DeviceProvisionServiceImpl implements DeviceProvisionService {
        }
    }

+    private DeviceCredentials updateDeviceCredentials(TenantId tenantId, DeviceCredentials deviceCredentials, String certificateValue,
+                                                      DeviceCredentialsType credentialsType) {
+        log.trace("Updating device credentials [{}] with certificate value [{}]", deviceCredentials, certificateValue);
+        deviceCredentials.setCredentialsValue(certificateValue);
+        deviceCredentials.setCredentialsType(credentialsType);
+        return deviceCredentialsService.updateDeviceCredentials(tenantId, deviceCredentials);
+    }
+
    private ListenableFuture<List<String>> saveProvisionStateAttribute(Device device) {
        return attributesService.save(device.getTenantId(), device.getId(), DataConstants.SERVER_SCOPE,
                Collections.singletonList(new BaseAttributeKvEntry(new StringDataEntry(DEVICE_PROVISION_STATE, PROVISIONED_STATE),
--- a/application/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
+++ b/application/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
@ -25,7 +25,6 @@ import com.google.common.util.concurrent.MoreExecutors;
 import com.google.protobuf.ByteString;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.codec.binary.Base64;
 import org.springframework.stereotype.Service;
 import org.thingsboard.common.util.JacksonUtil;
 import org.thingsboard.server.cache.ota.OtaPackageDataCache;
@ -34,7 +33,6 @@ import org.thingsboard.server.common.data.ApiUsageState;
 import org.thingsboard.server.common.data.DataConstants;
 import org.thingsboard.server.common.data.Device;
 import org.thingsboard.server.common.data.DeviceProfile;
-import org.thingsboard.server.common.data.DeviceProfileProvisionType;
 import org.thingsboard.server.common.data.DeviceTransportType;
 import org.thingsboard.server.common.data.EntityType;
 import org.thingsboard.server.common.data.OtaPackage;
@ -49,6 +47,7 @@ import org.thingsboard.server.common.data.device.data.CoapDeviceTransportConfigu
 import org.thingsboard.server.common.data.device.data.Lwm2mDeviceTransportConfiguration;
 import org.thingsboard.server.common.data.device.data.PowerMode;
 import org.thingsboard.server.common.data.device.data.PowerSavingConfiguration;
+import org.thingsboard.server.common.data.device.profile.DeviceProfileProvisionConfiguration;
 import org.thingsboard.server.common.data.device.profile.ProvisionDeviceProfileCredentials;
 import org.thingsboard.server.common.data.device.profile.X509CertificateChainProvisionConfiguration;
 import org.thingsboard.server.common.data.id.CustomerId;
@ -76,6 +75,7 @@ import org.thingsboard.server.dao.device.DeviceService;
 import org.thingsboard.server.dao.device.provision.ProvisionFailedException;
 import org.thingsboard.server.dao.device.provision.ProvisionRequest;
 import org.thingsboard.server.dao.device.provision.ProvisionResponse;
+import org.thingsboard.server.dao.device.provision.ProvisionResponseStatus;
 import org.thingsboard.server.dao.ota.OtaPackageService;
 import org.thingsboard.server.dao.queue.QueueService;
 import org.thingsboard.server.dao.relation.RelationService;
@ -106,10 +106,6 @@ import org.thingsboard.server.service.executors.DbCallbackExecutorService;
 import org.thingsboard.server.service.profile.TbDeviceProfileCache;
 import org.thingsboard.server.service.resource.TbResourceService;

-import java.io.ByteArrayInputStream;
-import java.io.InputStream;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
@ -250,38 +246,13 @@ public class DefaultTransportApiService implements TransportApiService {
            if (credentials != null && credentials.getCredentialsType() == DeviceCredentialsType.X509_CERTIFICATE) {
                return getDeviceInfo(credentials);
            }
-            DeviceProfile deviceProfile = deviceProfileService.findDeviceProfileByCertificateHash(certificateHash);
+            DeviceProfile deviceProfile = deviceProfileService.findDeviceProfileByProvisionDeviceKey(certificateHash);
            if (deviceProfile != null) {
-                X509CertificateChainProvisionConfiguration x509Configuration;
-                if (deviceProfile.getProfileData().getProvisionConfiguration() instanceof X509CertificateChainProvisionConfiguration) {
-                    x509Configuration = (X509CertificateChainProvisionConfiguration) deviceProfile.getProfileData().getProvisionConfiguration();
-                } else {
-                    log.warn("Device Profile provision configuration is not X509CertificateChainProvisionConfiguration");
-                    return getEmptyTransportApiResponseFuture();
-                }
-                String deviceName = extractDeviceNameFromCertificateCNByRegEx(chain.get(0), x509Configuration.getCertificateRegExPattern());
-                if (deviceName == null) {
-                    log.warn("Cannot extract device name from device's CN using regex [{}]", x509Configuration.getCertificateRegExPattern());
-                    return getEmptyTransportApiResponseFuture();
-                }
-                Device device = deviceService.findDeviceByTenantIdAndName(deviceProfile.getTenantId(), deviceName);
-                String updateDeviceCertificateValue = chain.get(0);
-                String updateDeviceCertificateHash = EncryptionUtil.getSha3Hash(updateDeviceCertificateValue);
-                if (device != null) {
-                    DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(device.getTenantId(), device.getId());
-                    if (deviceCredentials != null && deviceCredentials.getCredentialsType() == DeviceCredentialsType.X509_CERTIFICATE) {
-                        deviceCredentials = updateDeviceCredentials(device.getTenantId(), deviceCredentials, updateDeviceCertificateValue, updateDeviceCertificateHash, DeviceCredentialsType.X509_CERTIFICATE);
-                    } else if (deviceCredentials == null) {
-                        deviceCredentials = createDeviceCredentials(device.getTenantId(), device.getId(), updateDeviceCertificateValue, updateDeviceCertificateHash, DeviceCredentialsType.X509_CERTIFICATE);
-                    }
-                    return getDeviceInfo(deviceCredentials);
-                } else if (deviceProfile.getProvisionType() == DeviceProfileProvisionType.X509_CERTIFICATE_CHAIN && x509Configuration.isAllowCreateNewDevicesByX509Certificate()) {
-                    Device savedDevice = createDevice(deviceProfile.getTenantId(), deviceProfile.getId(), deviceName, deviceProfile.getName());
-                    DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedDevice.getTenantId(), savedDevice.getId());
-                    deviceCredentials = updateDeviceCredentials(savedDevice.getTenantId(), deviceCredentials, updateDeviceCertificateValue, updateDeviceCertificateHash, DeviceCredentialsType.X509_CERTIFICATE);
-                    return getDeviceInfo(deviceCredentials);
-                } else {
-                    log.info("Device doesn't exist and cannot be created due incorrect configuration for X509CertificateChainProvisionConfiguration");
+                String updatedDeviceProvisionSecret = chain.get(0);
+                ProvisionRequest provisionRequest = createProvisionRequest(deviceProfile, updatedDeviceProvisionSecret);
+                ProvisionResponse provisionResponse = deviceProvisionService.provisionDevice(provisionRequest);
+                if (provisionResponse.getResponseStatus().equals(ProvisionResponseStatus.SUCCESS)) {
+                    return getDeviceInfo(provisionResponse.getDeviceCredentials());
                }
            }
        }
@ -728,9 +699,37 @@ public class DefaultTransportApiService implements TransportApiService {
        return l != null ? l : 0;
    }

+    private ProvisionRequest createProvisionRequest(DeviceProfile deviceProfile, String certificateValue) {
+        String deviceName = getDeviceName(deviceProfile, certificateValue);
+
+        ProvisionDeviceProfileCredentials provisionDeviceProfileCredentials = new ProvisionDeviceProfileCredentials(
+                deviceProfile.getProvisionDeviceKey(),
+                deviceProfile.getProfileData().getProvisionConfiguration().getProvisionDeviceSecret()
+        );
+        ProvisionDeviceCredentialsData provisionDeviceCredentialsData = new ProvisionDeviceCredentialsData(null, null, null, null, certificateValue);
+
+        return new ProvisionRequest(deviceName, DeviceCredentialsType.X509_CERTIFICATE, provisionDeviceCredentialsData, provisionDeviceProfileCredentials);
+    }
+
+
+    private String getDeviceName(DeviceProfile deviceProfile, String certificateValue) {
+        X509CertificateChainProvisionConfiguration configuration = new X509CertificateChainProvisionConfiguration();
+        String deviceName = null;
+        if (deviceProfile.getProfileData().getProvisionConfiguration() instanceof X509CertificateChainProvisionConfiguration) {
+            configuration = (X509CertificateChainProvisionConfiguration) deviceProfile.getProfileData().getProvisionConfiguration();
+            deviceName = extractDeviceNameFromCertificateCNByRegEx(certificateValue, configuration.getCertificateRegExPattern());
+            if (deviceName == null) {
+                log.warn("Cannot extract device name from device's CN using regex [{}]", configuration.getCertificateRegExPattern());
+            }
+        } else {
+            log.warn("Device Profile configuration: expected [{}],  actual [{}]", configuration.getType(), deviceProfile.getProvisionType());
+        }
+        return deviceName;
+    }
+
    private String extractDeviceNameFromCertificateCNByRegEx(String x509Value, String regex) {
        try {
-            String commonName = SslUtil.parseCommonName(readCertFile(x509Value));
+            String commonName = SslUtil.parseCommonName(SslUtil.readCertFile(x509Value));
            log.trace("Extract CN [{}] by regex pattern [{}]", commonName, regex);
            Pattern pattern = Pattern.compile(regex);
            Matcher matcher = pattern.matcher(commonName);
@ -751,53 +750,4 @@ public class DefaultTransportApiService implements TransportApiService {
        }
        return chain;
    }
-
-    private X509Certificate readCertFile(String fileContent) {
-        X509Certificate certificate = null;
-        try {
-            if (fileContent != null && !fileContent.trim().isEmpty()) {
-                fileContent = fileContent.replace("-----BEGIN CERTIFICATE-----", "")
-                        .replace("-----END CERTIFICATE-----", "")
-                        .replaceAll("\\s", "");
-                byte[] decoded = Base64.decodeBase64(fileContent);
-                CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
-                try (InputStream inStream = new ByteArrayInputStream(decoded)) {
-                    certificate = (X509Certificate) certFactory.generateCertificate(inStream);
-                }
-            }
-        } catch (Exception ignored) {}
-        return certificate;
-    }
-
-    private DeviceCredentials updateDeviceCredentials(TenantId tenantId, DeviceCredentials deviceCredentials, String certificateValue,
-                                                      String certificateHash, DeviceCredentialsType credentialsType) {
-        log.trace("Updating device credentials [{}] with certificate id [{}]", deviceCredentials, certificateHash);
-        deviceCredentials.setCredentialsId(certificateHash);
-        deviceCredentials.setCredentialsValue(certificateValue);
-        deviceCredentials.setCredentialsType(credentialsType);
-        return deviceCredentialsService.updateDeviceCredentials(tenantId, deviceCredentials);
-    }
-
-    private DeviceCredentials createDeviceCredentials(TenantId tenantId, DeviceId deviceId, String certificateValue,
-                                                      String certificateHash, DeviceCredentialsType credentialsType) {
-        log.trace("Creating new deviceCredentials for device [{}] with certificate id [{}]", deviceId, certificateHash);
-        DeviceCredentials createDevCredentials = new DeviceCredentials();
-        createDevCredentials.setDeviceId(deviceId);
-        createDevCredentials.setCredentialsType(credentialsType);
-        createDevCredentials.setCredentialsId(certificateHash);
-        createDevCredentials.setCredentialsValue(certificateValue);
-        return deviceCredentialsService.createDeviceCredentials(tenantId, createDevCredentials);
-    }
-
-    private Device createDevice(TenantId tenantId, DeviceProfileId deviceProfileId, String deviceName, String type) {
-        log.trace("Creating new device for deviceProfile [{}] with device name [{}]", deviceProfileId, deviceName);
-        Device device = new Device();
-        device.setTenantId(tenantId);
-        device.setDeviceProfileId(deviceProfileId);
-        device.setName(deviceName);
-        device.setType(type);
-        device = deviceService.saveDevice(device);
-        tbClusterService.onDeviceUpdated(device, null);
-        return device;
-    }
 }
--- a/application/src/main/resources/thingsboard.yml
+++ b/application/src/main/resources/thingsboard.yml
@ -735,7 +735,7 @@ transport:
    # MQTT SSL configuration
    ssl:
      # Enable/disable SSL support
-      enabled: "${MQTT_SSL_ENABLED:false}"
+      enabled: "${MQTT_SSL_ENABLED:true}"
      # MQTT SSL bind address
      bind_address: "${MQTT_SSL_BIND_ADDRESS:0.0.0.0}"
      # MQTT SSL bind port
@ -749,11 +749,11 @@ transport:
        # PEM server credentials
        pem:
          # Path to the server certificate file (holds server certificate or certificate chain, may include server private key)
-          cert_file: "${MQTT_SSL_PEM_CERT:mqttserver.pem}"
+          cert_file: "${MQTT_SSL_PEM_CERT:/home/developer/x509/server.pem}"
          # Path to the server certificate private key file. Optional by default. Required if the private key is not present in server certificate file;
-          key_file: "${MQTT_SSL_PEM_KEY:mqttserver_key.pem}"
+          key_file: "${MQTT_SSL_PEM_KEY:/home/developer/x509/server_key.pem}"
          # Server certificate private key password (optional)
-          key_password: "${MQTT_SSL_PEM_KEY_PASSWORD:server_key_password}"
+          key_password: "${MQTT_SSL_PEM_KEY_PASSWORD:}"
        # Keystore server credentials
        keystore:
          # Type of the key store (JKS or PKCS12)
--- a/application/src/test/java/org/thingsboard/server/controller/BaseDeviceProfileControllerTest.java
+++ b/application/src/test/java/org/thingsboard/server/controller/BaseDeviceProfileControllerTest.java
@ -302,14 +302,17 @@ public abstract class BaseDeviceProfileControllerTest extends AbstractController
    @Test
    public void testSaveDeviceProfileWithSameCertificateHash() throws Exception {
        DeviceProfile deviceProfile = this.createDeviceProfile("Device Profile");
-        deviceProfile.setCertificateHash("Certificate Hash");
-        doPost("/api/deviceProfile", deviceProfile).andExpect(status().isOk());
+        deviceProfile.setProvisionDeviceKey("Certificate hash");
+
+        doPost("/api/deviceProfile", deviceProfile)
+                .andExpect(status().isOk());
+
        DeviceProfile deviceProfile2 = this.createDeviceProfile("Device Profile 2");
-        deviceProfile2.setCertificateHash("Certificate Hash");
+        deviceProfile2.setProvisionDeviceKey("Certificate hash");

        Mockito.reset(tbClusterService, auditLogService);

-        String msgError = "Device profile with such certificate hash already exists";
+        String msgError = "Device profile with such provision device key already exists!";
        doPost("/api/deviceProfile", deviceProfile2)
                .andExpect(status().isBadRequest())
                .andExpect(statusReason(containsString(msgError)));
--- a/application/src/test/java/org/thingsboard/server/service/transport/DefaultTransportApiServiceTest.java
+++ b/application/src/test/java/org/thingsboard/server/service/transport/DefaultTransportApiServiceTest.java
@ -40,6 +40,8 @@ import org.thingsboard.server.dao.device.DeviceCredentialsService;
 import org.thingsboard.server.dao.device.DeviceProfileService;
 import org.thingsboard.server.dao.device.DeviceProvisionService;
 import org.thingsboard.server.dao.device.DeviceService;
+import org.thingsboard.server.dao.device.provision.ProvisionResponse;
+import org.thingsboard.server.dao.device.provision.ProvisionResponseStatus;
 import org.thingsboard.server.dao.ota.OtaPackageService;
 import org.thingsboard.server.dao.queue.QueueService;
 import org.thingsboard.server.dao.relation.RelationService;
@ -130,43 +132,42 @@ public class DefaultTransportApiServiceTest {
    }

    @Test
-    public void updateExistingDeviceX509Certificate() {
+    public void provisionDeviceX509Certificate() {
        var deviceProfile = createDeviceProfile(chain[1]);
-        when(deviceProfileService.findDeviceProfileByCertificateHash(any())).thenReturn(deviceProfile);
+        when(deviceProfileService.findDeviceProfileByProvisionDeviceKey(any())).thenReturn(deviceProfile);

        var device = createDevice();
        when(deviceService.findDeviceByTenantIdAndName(any(), any())).thenReturn(device);
        when(deviceService.findDeviceByIdAsync(any(), any())).thenReturn(Futures.immediateFuture(device));

        var deviceCredentials = createDeviceCredentials(chain[0], device.getId());
-        when(deviceCredentialsService.findDeviceCredentialsByDeviceId(any(), any())).thenReturn(deviceCredentials);
+        when(deviceCredentialsService.findDeviceCredentialsByCredentialsId(any())).thenReturn(null);
        when(deviceCredentialsService.updateDeviceCredentials(any(), any())).thenReturn(deviceCredentials);

+        var provisionResponse = createProvisionResponse(deviceCredentials);
+        when(deviceProvisionService.provisionDevice(any())).thenReturn(provisionResponse);
+
        service.validateOrCreateDeviceX509Certificate(certificateChain);
-        verify(deviceProfileService, times(1)).findDeviceProfileByCertificateHash(any());
-        verify(deviceService, times(1)).findDeviceByTenantIdAndName(any(), any());
-        verify(deviceCredentialsService, times(1)).findDeviceCredentialsByDeviceId(any(), any());
-        verify(deviceCredentialsService, times(1)).updateDeviceCredentials(any(), any());
+        verify(deviceProfileService, times(1)).findDeviceProfileByProvisionDeviceKey(any());
+        verify(deviceService, times(1)).findDeviceByIdAsync(any(), any());
+        verify(deviceCredentialsService, times(1)).findDeviceCredentialsByCredentialsId(any());
+        verify(deviceProvisionService, times(1)).provisionDevice(any());
    }

-    @Test
-    public void createDeviceByX509Provision() {
-        var deviceProfile = createDeviceProfile(chain[1]);
-        when(deviceProfileService.findDeviceProfileByCertificateHash(any())).thenReturn(deviceProfile);
-
-        var device = createDevice();
-        when(deviceService.saveDevice(any())).thenReturn(device);
-        when(deviceService.findDeviceByIdAsync(any(), any())).thenReturn(Futures.immediateFuture(device));
+    private DeviceProfile createDeviceProfile(String certificateValue) {
+        X509CertificateChainProvisionConfiguration provision = new X509CertificateChainProvisionConfiguration();
+        provision.setProvisionDeviceSecret(certificateValue);
+        provision.setCertificateRegExPattern("([^@]+)");
+        provision.setAllowCreateNewDevicesByX509Certificate(true);

-        var deviceCredentials = createDeviceCredentials(chain[0], device.getId());
-        when(deviceCredentialsService.findDeviceCredentialsByDeviceId(any(), any())).thenReturn(deviceCredentials);
-        when(deviceCredentialsService.updateDeviceCredentials(any(), any())).thenReturn(deviceCredentials);
+        DeviceProfileData deviceProfileData = new DeviceProfileData();
+        deviceProfileData.setProvisionConfiguration(provision);

-        service.validateOrCreateDeviceX509Certificate(certificateChain);
-        verify(deviceProfileService, times(1)).findDeviceProfileByCertificateHash(any());
-        verify(deviceService, times(1)).findDeviceByTenantIdAndName(any(), any());
-        verify(deviceCredentialsService, times(1)).findDeviceCredentialsByDeviceId(any(), any());
-        verify(deviceCredentialsService, times(1)).updateDeviceCredentials(any(), any());
+        DeviceProfile deviceProfile = new DeviceProfile();
+        deviceProfile.setProfileData(deviceProfileData);
+        deviceProfile.setProvisionDeviceKey(EncryptionUtil.getSha3Hash(certificateValue));
+        deviceProfile.setProvisionType(DeviceProfileProvisionType.X509_CERTIFICATE_CHAIN);
+        return deviceProfile;
    }

    private DeviceCredentials createDeviceCredentials(String certificateValue, DeviceId deviceId) {
@ -178,26 +179,16 @@ public class DefaultTransportApiServiceTest {
        return deviceCredentials;
    }

-    private DeviceProfile createDeviceProfile(String certificateValue) {
-        DeviceProfile deviceProfile = new DeviceProfile();
-        DeviceProfileData deviceProfileData = new DeviceProfileData();
-        X509CertificateChainProvisionConfiguration provision = new X509CertificateChainProvisionConfiguration();
-        provision.setCertificateValue(certificateValue);
-        provision.setCertificateRegExPattern("([^@]+)");
-        provision.setAllowCreateNewDevicesByX509Certificate(true);
-        deviceProfileData.setProvisionConfiguration(provision);
-        deviceProfile.setProfileData(deviceProfileData);
-        deviceProfile.setCertificateHash(EncryptionUtil.getSha3Hash(certificateValue));
-        deviceProfile.setProvisionType(DeviceProfileProvisionType.X509_CERTIFICATE_CHAIN);
-        return deviceProfile;
-    }
-
    private Device createDevice() {
        Device device = new Device();
        device.setId(new DeviceId(UUID.randomUUID()));
        return device;
    }

+    private ProvisionResponse createProvisionResponse(DeviceCredentials deviceCredentials) {
+        return new ProvisionResponse(deviceCredentials, ProvisionResponseStatus.SUCCESS);
+    }
+
    public static String certTrimNewLinesForChainInDeviceProfile(String input) {
        return input.replaceAll("\n", "")
                .replaceAll("\r", "")
--- a/common/dao-api/src/main/java/org/thingsboard/server/dao/device/DeviceProfileService.java
+++ b/common/dao-api/src/main/java/org/thingsboard/server/dao/device/DeviceProfileService.java
@ -39,7 +39,7 @@ public interface DeviceProfileService extends EntityDaoService {

    PageData<DeviceProfileInfo> findDeviceProfileInfos(TenantId tenantId, PageLink pageLink, String transportType);

-    DeviceProfile findDeviceProfileByCertificateHash(String credentialsId);
+    DeviceProfile findDeviceProfileByProvisionDeviceKey(String provisionDeviceKey);

    DeviceProfile findOrCreateDeviceProfile(TenantId tenantId, String profileName);

--- a/common/data/src/main/java/org/thingsboard/server/common/data/DeviceProfile.java
+++ b/common/data/src/main/java/org/thingsboard/server/common/data/DeviceProfile.java
@ -66,10 +66,6 @@ public class DeviceProfile extends SearchTextBased<DeviceProfileId> implements H
    private DeviceTransportType transportType;
    @ApiModelProperty(position = 15, value = "Provisioning strategy.")
    private DeviceProfileProvisionType provisionType;
-    @ApiModelProperty(position = 18, value = "CA certificate hash. ")
-    private String certificateHash;
-
-
    @ApiModelProperty(position = 7, value = "Reference to the rule chain. " +
            "If present, the specified rule chain will be used to process all messages related to device, including telemetry, attribute updates, etc. " +
            "Otherwise, the root rule chain will be used to process those messages.")
@ -125,7 +121,6 @@ public class DeviceProfile extends SearchTextBased<DeviceProfileId> implements H
        this.firmwareId = deviceProfile.getFirmwareId();
        this.softwareId = deviceProfile.getSoftwareId();
        this.defaultEdgeRuleChainId = deviceProfile.getDefaultEdgeRuleChainId();
-        this.certificateHash = deviceProfile.getCertificateHash();
        this.externalId = deviceProfile.getExternalId();
    }

--- a/common/data/src/main/java/org/thingsboard/server/common/data/device/profile/X509CertificateChainProvisionConfiguration.java
+++ b/common/data/src/main/java/org/thingsboard/server/common/data/device/profile/X509CertificateChainProvisionConfiguration.java
@ -24,16 +24,10 @@ import org.thingsboard.server.common.data.DeviceProfileProvisionType;
@NoArgsConstructor
 public class X509CertificateChainProvisionConfiguration implements DeviceProfileProvisionConfiguration {

-    private String certificateValue;
+    private String provisionDeviceSecret;
    private String certificateRegExPattern;
    private boolean allowCreateNewDevicesByX509Certificate;

-    @Override
-    public String getProvisionDeviceSecret() {
-        // ignore device secret for this strategy
-        return null;
-    }
-
    @Override
    public DeviceProfileProvisionType getType() {
        return DeviceProfileProvisionType.X509_CERTIFICATE_CHAIN;
--- a/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java
+++ b/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java
@ -164,12 +164,10 @@ public class MqttSslHandlerProvider {
                            }
                        });
                latch.await(10, TimeUnit.SECONDS);
-                if (chain.length == 1) {
-                    if (!clientDeviceCertValue.equals(credentialsBodyHolder[0])) {
+                if (!clientDeviceCertValue.equals(credentialsBodyHolder[0])) {
+                    if (chain.length == 1) {
                        throw new CertificateException("Invalid Device Certificate");
-                    }
-                } else {
-                    if (!clientDeviceCertValue.equals(credentialsBodyHolder[0])) {
+                    } else {
                        throw new CertificateException("Invalid Chain of X509 Certificates");
                    }
                }
@ -177,6 +175,5 @@ public class MqttSslHandlerProvider {
                log.error(e.getMessage(), e);
            }
        }
-
    }
 }
--- a/common/transport/transport-api/src/main/java/org/thingsboard/server/common/transport/util/SslUtil.java
+++ b/common/transport/transport-api/src/main/java/org/thingsboard/server/common/transport/util/SslUtil.java
@ -16,6 +16,7 @@
 package org.thingsboard.server.common.transport.util;

 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.codec.binary.Base64;
 import org.bouncycastle.asn1.x500.RDN;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x500.style.BCStyle;
@ -24,8 +25,11 @@ import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
 import org.springframework.util.Base64Utils;
 import org.thingsboard.server.common.msg.EncryptionUtil;

+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;

 /**
@ -53,6 +57,23 @@ public class SslUtil {
        return stringBuilder.toString();
    }

+    public static X509Certificate readCertFile(String fileContent) {
+        X509Certificate certificate = null;
+        try {
+            if (fileContent != null && !fileContent.trim().isEmpty()) {
+                fileContent = fileContent.replace("-----BEGIN CERTIFICATE-----", "")
+                        .replace("-----END CERTIFICATE-----", "")
+                        .replaceAll("\\s", "");
+                byte[] decoded = Base64.decodeBase64(fileContent);
+                CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+                try (InputStream inStream = new ByteArrayInputStream(decoded)) {
+                    certificate = (X509Certificate) certFactory.generateCertificate(inStream);
+                }
+            }
+        } catch (Exception ignored) {}
+        return certificate;
+    }
+
    public static String parseCommonName(X509Certificate certificate) {
        X500Name x500name;
        try {
--- a/dao/src/main/java/org/thingsboard/server/dao/device/DeviceProfileCacheKey.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/device/DeviceProfileCacheKey.java
@ -29,14 +29,14 @@ public class DeviceProfileCacheKey implements Serializable {
    private final TenantId tenantId;
    private final String name;
    private final DeviceProfileId deviceProfileId;
-    private final String certificateHash;
+    private final String provisionDeviceKey;
    private final boolean defaultProfile;

-    private DeviceProfileCacheKey(TenantId tenantId, String name, DeviceProfileId deviceProfileId, String certificateHash, boolean defaultProfile) {
+    private DeviceProfileCacheKey(TenantId tenantId, String name, DeviceProfileId deviceProfileId, String provisionDeviceKey, boolean defaultProfile) {
        this.tenantId = tenantId;
        this.name = name;
        this.deviceProfileId = deviceProfileId;
-        this.certificateHash = certificateHash;
+        this.provisionDeviceKey = provisionDeviceKey;
        this.defaultProfile = defaultProfile;
    }

@ -48,8 +48,8 @@ public class DeviceProfileCacheKey implements Serializable {
        return new DeviceProfileCacheKey(null, null, id, null, false);
    }

-    public static DeviceProfileCacheKey fromCertificateHash(String certificateHash) {
-        return new DeviceProfileCacheKey(null, null, null, certificateHash, false);
+    public static DeviceProfileCacheKey fromProvisionDeviceKey(String provisionDeviceKey) {
+        return new DeviceProfileCacheKey(null, null, null, provisionDeviceKey, false);
    }

    public static DeviceProfileCacheKey defaultProfile(TenantId tenantId) {
@ -65,8 +65,8 @@ public class DeviceProfileCacheKey implements Serializable {
            return deviceProfileId.toString();
        } else if (defaultProfile) {
            return tenantId.toString();
-        } else if (certificateHash != null) {
-            return certificateHash;
+        } else if (provisionDeviceKey != null) {
+            return provisionDeviceKey;
        }
        return tenantId + "_" + name;
    }
--- a/dao/src/main/java/org/thingsboard/server/dao/device/DeviceProfileDao.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/device/DeviceProfileDao.java
@ -46,5 +46,4 @@ public interface DeviceProfileDao extends Dao<DeviceProfile>, ExportableEntityDa

    DeviceProfile findByName(TenantId tenantId, String profileName);

-    DeviceProfile findByCertificateHash(String certificateHash);
 }
--- a/dao/src/main/java/org/thingsboard/server/dao/device/DeviceProfileEvictEvent.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/device/DeviceProfileEvictEvent.java
@ -27,6 +27,6 @@ public class DeviceProfileEvictEvent {
    private final String oldName;
    private final DeviceProfileId deviceProfileId;
    private final boolean defaultProfile;
-    private final String certificateHash;
+    private final String provisionDeviceKey;

 }
--- a/dao/src/main/java/org/thingsboard/server/dao/device/DeviceProfileServiceImpl.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/device/DeviceProfileServiceImpl.java
@ -70,7 +70,7 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
    private static final String INCORRECT_TENANT_ID = "Incorrect tenantId ";
    private static final String INCORRECT_DEVICE_PROFILE_ID = "Incorrect deviceProfileId ";
    private static final String INCORRECT_DEVICE_PROFILE_NAME = "Incorrect deviceProfileName ";
-    private static final String INCORRECT_DEVICE_PROFILE_CREDENTIALS_HASH = "Incorrect deviceProfileCertificateHash ";
+    private static final String INCORRECT_PROVISION_DEVICE_KEY = "Incorrect provisionDeviceKey ";
    private static final String DEVICE_PROFILE_WITH_SUCH_NAME_ALREADY_EXISTS = "Device profile with such name already exists!";

    @Autowired
@ -103,8 +103,8 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
        if (StringUtils.isNotEmpty(event.getOldName()) && !event.getOldName().equals(event.getNewName())) {
            keys.add(DeviceProfileCacheKey.fromName(event.getTenantId(), event.getOldName()));
        }
-        if (event.getCertificateHash() != null) {
-            keys.add(DeviceProfileCacheKey.fromCertificateHash(event.getCertificateHash()));
+        if (event.getProvisionDeviceKey() != null) {
+            keys.add(DeviceProfileCacheKey.fromProvisionDeviceKey(event.getProvisionDeviceKey()));
        }
        cache.evict(keys);
    }
@ -112,7 +112,7 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
    @Override
    public DeviceProfile findDeviceProfileById(TenantId tenantId, DeviceProfileId deviceProfileId) {
        log.trace("Executing findDeviceProfileById [{}]", deviceProfileId);
-        Validator.validateId(deviceProfileId, INCORRECT_DEVICE_PROFILE_ID + deviceProfileId);
+        validateId(deviceProfileId, INCORRECT_DEVICE_PROFILE_ID + deviceProfileId);
        return cache.getAndPutInTransaction(DeviceProfileCacheKey.fromId(deviceProfileId),
                () -> deviceProfileDao.findById(tenantId, deviceProfileId.getId()), true);
    }
@ -120,7 +120,7 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
    @Override
    public DeviceProfile findDeviceProfileByName(TenantId tenantId, String profileName) {
        log.trace("Executing findDeviceProfileByName [{}][{}]", tenantId, profileName);
-        Validator.validateString(profileName, INCORRECT_DEVICE_PROFILE_NAME + profileName);
+        validateString(profileName, INCORRECT_DEVICE_PROFILE_NAME + profileName);
        return cache.getAndPutInTransaction(DeviceProfileCacheKey.fromName(tenantId, profileName),
                () -> deviceProfileDao.findByName(tenantId, profileName), true);
    }
@ -128,7 +128,7 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
    @Override
    public DeviceProfileInfo findDeviceProfileInfoById(TenantId tenantId, DeviceProfileId deviceProfileId) {
        log.trace("Executing findDeviceProfileById [{}]", deviceProfileId);
-        Validator.validateId(deviceProfileId, INCORRECT_DEVICE_PROFILE_ID + deviceProfileId);
+        validateId(deviceProfileId, INCORRECT_DEVICE_PROFILE_ID + deviceProfileId);
        return toDeviceProfileInfo(findDeviceProfileById(tenantId, deviceProfileId));
    }

@ -137,7 +137,7 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
        log.trace("Executing saveDeviceProfile [{}]", deviceProfile);
        if (deviceProfile.getProfileData() != null && deviceProfile.getProfileData().getProvisionConfiguration() instanceof X509CertificateChainProvisionConfiguration) {
            X509CertificateChainProvisionConfiguration x509Configuration = (X509CertificateChainProvisionConfiguration) deviceProfile.getProfileData().getProvisionConfiguration();
-            if (x509Configuration.getCertificateValue() != null) {
+            if (x509Configuration.getProvisionDeviceSecret() != null) {
                formatDeviceProfileCertificate(deviceProfile, x509Configuration);
            }
        }
@ -147,11 +147,11 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
            savedDeviceProfile = deviceProfileDao.saveAndFlush(deviceProfile.getTenantId(), deviceProfile);
            publishEvictEvent(new DeviceProfileEvictEvent(savedDeviceProfile.getTenantId(), savedDeviceProfile.getName(),
                    oldDeviceProfile != null ? oldDeviceProfile.getName() : null, savedDeviceProfile.getId(), savedDeviceProfile.isDefault(),
-                    deviceProfile.getCertificateHash() != null ? deviceProfile.getCertificateHash() : null));
+                    deviceProfile.getProvisionDeviceKey() != null ? deviceProfile.getProvisionDeviceKey() : null));
        } catch (Exception t) {
            handleEvictEvent(new DeviceProfileEvictEvent(deviceProfile.getTenantId(), deviceProfile.getName(),
                    oldDeviceProfile != null ? oldDeviceProfile.getName() : null, null, deviceProfile.isDefault(),
-                    deviceProfile.getCertificateHash() != null ? deviceProfile.getCertificateHash() : null));
+                    deviceProfile.getProvisionDeviceKey() != null ? deviceProfile.getProvisionDeviceKey() : null));
            checkConstraintViolation(t,
                    Map.of("device_profile_name_unq_key", DEVICE_PROFILE_WITH_SUCH_NAME_ALREADY_EXISTS,
                            "device_provision_key_unq_key", "Device profile with such provision device key already exists!",
@ -177,7 +177,7 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
    @Transactional
    public void deleteDeviceProfile(TenantId tenantId, DeviceProfileId deviceProfileId) {
        log.trace("Executing deleteDeviceProfile [{}]", deviceProfileId);
-        Validator.validateId(deviceProfileId, INCORRECT_DEVICE_PROFILE_ID + deviceProfileId);
+        validateId(deviceProfileId, INCORRECT_DEVICE_PROFILE_ID + deviceProfileId);
        DeviceProfile deviceProfile = deviceProfileDao.findById(tenantId, deviceProfileId.getId());
        if (deviceProfile != null && deviceProfile.isDefault()) {
            throw new DataValidationException("Deletion of Default Device Profile is prohibited!");
@ -192,7 +192,7 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
            deviceProfileDao.removeById(tenantId, deviceProfileId.getId());
            publishEvictEvent(new DeviceProfileEvictEvent(deviceProfile.getTenantId(), deviceProfile.getName(),
                    null, deviceProfile.getId(), deviceProfile.isDefault(),
-                    deviceProfile.getCertificateHash() != null ? deviceProfile.getCertificateHash() : null));
+                    deviceProfile.getProvisionDeviceKey() != null ? deviceProfile.getProvisionDeviceKey() : null));
        } catch (Exception t) {
            ConstraintViolationException e = extractConstraintViolationException(t).orElse(null);
            if (e != null && e.getConstraintName() != null && e.getConstraintName().equalsIgnoreCase("fk_device_profile")) {
@ -220,11 +220,11 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
    }

    @Override
-    public DeviceProfile findDeviceProfileByCertificateHash(String certificateHash) {
-        log.trace("Executing findDeviceProfileIdByCredentialsId credentialId [{}]", certificateHash);
-        validateString(certificateHash, INCORRECT_DEVICE_PROFILE_CREDENTIALS_HASH + certificateHash);
-        return cache.getAndPutInTransaction(DeviceProfileCacheKey.fromCertificateHash(certificateHash),
-                () -> deviceProfileDao.findByCertificateHash(certificateHash), true);
+    public DeviceProfile findDeviceProfileByProvisionDeviceKey(String provisionDeviceKey) {
+        log.trace("Executing findDeviceProfileIdByCredentialsId credentialId [{}]", provisionDeviceKey);
+        validateString(provisionDeviceKey, INCORRECT_PROVISION_DEVICE_KEY + provisionDeviceKey);
+        return cache.getAndPutInTransaction(DeviceProfileCacheKey.fromProvisionDeviceKey(provisionDeviceKey),
+                () -> deviceProfileDao.findByProvisionDeviceKey(provisionDeviceKey), true);
    }

    @Override
@ -290,7 +290,7 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
    @Override
    public boolean setDefaultDeviceProfile(TenantId tenantId, DeviceProfileId deviceProfileId) {
        log.trace("Executing setDefaultDeviceProfile [{}]", deviceProfileId);
-        Validator.validateId(deviceProfileId, INCORRECT_DEVICE_PROFILE_ID + deviceProfileId);
+        validateId(deviceProfileId, INCORRECT_DEVICE_PROFILE_ID + deviceProfileId);
        DeviceProfile deviceProfile = deviceProfileDao.findById(tenantId, deviceProfileId.getId());
        if (!deviceProfile.isDefault()) {
            deviceProfile.setDefault(true);
@ -350,14 +350,14 @@ public class DeviceProfileServiceImpl extends AbstractCachedEntityService<Device
    }

    private void formatDeviceProfileCertificate(DeviceProfile deviceProfile, X509CertificateChainProvisionConfiguration x509Configuration) {
-        String formattedCertificateValue = formatCertificateValue(x509Configuration.getCertificateValue());
+        String formattedCertificateValue = formatCertificateValue(x509Configuration.getProvisionDeviceSecret());
        String cert = fetchLeafCertificateFromChain(formattedCertificateValue);
        String sha3Hash = EncryptionUtil.getSha3Hash(cert);
        DeviceProfileData deviceProfileData = deviceProfile.getProfileData();
-        x509Configuration.setCertificateValue(formattedCertificateValue);
+        x509Configuration.setProvisionDeviceSecret(formattedCertificateValue);
        deviceProfileData.setProvisionConfiguration(x509Configuration);
        deviceProfile.setProfileData(deviceProfileData);
-        deviceProfile.setCertificateHash(sha3Hash);
+        deviceProfile.setProvisionDeviceKey(sha3Hash);
    }

    private String fetchLeafCertificateFromChain(String value) {
--- a/dao/src/main/java/org/thingsboard/server/dao/model/ModelConstants.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/model/ModelConstants.java
@ -195,7 +195,6 @@ public class ModelConstants {
    public static final String DEVICE_PROFILE_PROVISION_DEVICE_KEY = "provision_device_key";
    public static final String DEVICE_PROFILE_FIRMWARE_ID_PROPERTY = "firmware_id";
    public static final String DEVICE_PROFILE_SOFTWARE_ID_PROPERTY = "software_id";
-    public static final String DEVICE_PROFILE_CERTIFICATE_HASH_PROPERTY = "certificate_hash";
    public static final String DEVICE_PROFILE_DEFAULT_EDGE_RULE_CHAIN_ID_PROPERTY = "default_edge_rule_chain_id";

    /**
--- a/dao/src/main/java/org/thingsboard/server/dao/model/sql/DeviceProfileEntity.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/model/sql/DeviceProfileEntity.java
@ -109,9 +109,6 @@ public final class DeviceProfileEntity extends BaseSqlEntity<DeviceProfile> impl
    @Column(name = ModelConstants.EXTERNAL_ID_PROPERTY)
    private UUID externalId;

-    @Column(name = ModelConstants.DEVICE_PROFILE_CERTIFICATE_HASH_PROPERTY)
-    private String certificateHash;
-
    public DeviceProfileEntity() {
        super();
    }
@ -129,7 +126,6 @@ public final class DeviceProfileEntity extends BaseSqlEntity<DeviceProfile> impl
        this.image = deviceProfile.getImage();
        this.transportType = deviceProfile.getTransportType();
        this.provisionType = deviceProfile.getProvisionType();
-        this.certificateHash = deviceProfile.getCertificateHash();
        this.description = deviceProfile.getDescription();
        this.isDefault = deviceProfile.isDefault();
        this.profileData = JacksonUtil.convertValue(deviceProfile.getProfileData(), ObjectNode.class);
@ -192,7 +188,6 @@ public final class DeviceProfileEntity extends BaseSqlEntity<DeviceProfile> impl
            deviceProfile.setDefaultDashboardId(new DashboardId(defaultDashboardId));
        }
        deviceProfile.setProvisionDeviceKey(provisionDeviceKey);
-        deviceProfile.setCertificateHash(certificateHash);

        if (firmwareId != null) {
            deviceProfile.setFirmwareId(new OtaPackageId(firmwareId));
--- a/dao/src/main/java/org/thingsboard/server/dao/service/validator/DeviceProfileDataValidator.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/service/validator/DeviceProfileDataValidator.java
@ -132,14 +132,14 @@ public class DeviceProfileDataValidator extends AbstractHasOtaPackageValidator<D
        if (deviceProfile.getProvisionType() == null) {
            deviceProfile.setProvisionType(DeviceProfileProvisionType.DISABLED);
        }
-        if (deviceProfile.getCertificateHash() != null) {
-            if (getRootCAFromJavaCacerts(deviceProfile.getCertificateHash())) {
+        if (deviceProfile.getProvisionDeviceKey() != null) {
+            if (getRootCAFromJavaCacerts(deviceProfile.getProvisionDeviceKey())) {
                throw new DataValidationException("Device profile certificate cannot be well known root CA!");
            }
-            DeviceProfile existingDeviceProfileCertificate = deviceProfileDao.findByCertificateHash(deviceProfile.getCertificateHash());
-            if (existingDeviceProfileCertificate != null && !existingDeviceProfileCertificate.getId().equals(deviceProfile.getId())) {
-                throw new DataValidationException("Device profile with such certificate hash already exists!");
-            }
+//            DeviceProfile existingDeviceProfileCertificate = deviceProfileDao.findByProvisionDeviceKey(deviceProfile.getProvisionDeviceKey());
+//            if (existingDeviceProfileCertificate != null && !existingDeviceProfileCertificate.getId().equals(deviceProfile.getId())) {
+//                throw new DataValidationException("Device profile with such certificate hash already exists!");
+//            }
        }
        DeviceProfileTransportConfiguration transportConfiguration = deviceProfile.getProfileData().getTransportConfiguration();
        transportConfiguration.validate();
@ -234,14 +234,14 @@ public class DeviceProfileDataValidator extends AbstractHasOtaPackageValidator<D
                throw new DataValidationException(message);
            }
        }
-        if (deviceProfile.getCertificateHash() != null) {
-            if (getRootCAFromJavaCacerts(deviceProfile.getCertificateHash())) {
+        if (deviceProfile.getProvisionDeviceKey() != null) {
+            if (getRootCAFromJavaCacerts(deviceProfile.getProvisionDeviceKey())) {
                throw new DataValidationException("Device profile certificate cannot be well known root CA!");
            }
-            DeviceProfile existingDeviceProfileCertificate = deviceProfileDao.findByCertificateHash(deviceProfile.getCertificateHash());
-            if (existingDeviceProfileCertificate != null && !existingDeviceProfileCertificate.getId().equals(old.getId())) {
-                throw new DataValidationException("Device profile with such certificate hash already exists!");
-            }
+//            DeviceProfile existingDeviceProfileWithDeviceKey = deviceProfileDao.findByProvisionDeviceKey(deviceProfile.getProvisionDeviceKey());
+//            if (existingDeviceProfileWithDeviceKey != null && !existingDeviceProfileWithDeviceKey.getId().equals(old.getId())) {
+//                throw new DataValidationException("Device profile with such certificate hash already exists!");
+//            }
        }
        return old;
    }
--- a/dao/src/main/java/org/thingsboard/server/dao/sql/device/DeviceProfileRepository.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/sql/device/DeviceProfileRepository.java
@ -64,8 +64,6 @@ public interface DeviceProfileRepository extends JpaRepository<DeviceProfileEnti
            "WHERE d.tenantId = :tenantId AND d.isDefault = true")
    DeviceProfileInfo findDefaultDeviceProfileInfo(@Param("tenantId") UUID tenantId);

-    DeviceProfileEntity findDeviceProfileByCertificateHash(String certificateHash);
-
    DeviceProfileEntity findByTenantIdAndName(UUID id, String profileName);

    DeviceProfileEntity findByProvisionDeviceKey(@Param("provisionDeviceKey") String provisionDeviceKey);
--- a/dao/src/main/java/org/thingsboard/server/dao/sql/device/JpaDeviceProfileDao.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/sql/device/JpaDeviceProfileDao.java
@ -115,11 +115,6 @@ public class JpaDeviceProfileDao extends JpaAbstractSearchTextDao<DeviceProfileE
        return DaoUtil.getData(deviceProfileRepository.findByTenantIdAndName(tenantId.getId(), profileName));
    }

-    @Override
-    public DeviceProfile findByCertificateHash(String certificateHash) {
-        return DaoUtil.getData(deviceProfileRepository.findDeviceProfileByCertificateHash(certificateHash));
-    }
-
    @Override
    public DeviceProfile findByTenantIdAndExternalId(UUID tenantId, UUID externalId) {
        return DaoUtil.getData(deviceProfileRepository.findByTenantIdAndExternalId(tenantId, externalId));
--- a/dao/src/main/resources/sql/schema-entities.sql
+++ b/dao/src/main/resources/sql/schema-entities.sql
@ -295,10 +295,8 @@ CREATE TABLE IF NOT EXISTS device_profile (
    default_dashboard_id uuid,
    default_queue_name varchar(255),
    provision_device_key varchar,
-    certificate_hash varchar,
    default_edge_rule_chain_id uuid,
    external_id uuid,
-    CONSTRAINT device_profile_credentials_hash_unq_key UNIQUE (certificate_hash),
    CONSTRAINT device_profile_name_unq_key UNIQUE (tenant_id, name),
    CONSTRAINT device_provision_key_unq_key UNIQUE (provision_device_key),
    CONSTRAINT device_profile_external_id_unq_key UNIQUE (tenant_id, external_id),