openvehicles · shadowguardian507-irl · Mar 27, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026
diff --git a/docs/source/userguide/commands.rst b/docs/source/userguide/commands.rst
@@ -191,6 +191,22 @@ More info on the general OVMS MQTT topic scheme can be found
 `on the developer mailing list <http://lists.openvehicles.com/pipermail/ovmsdev/2018-July/005297.html>`_.
 
 
+TLS client certificate commands
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If the broker needs a client certificate (mTLS)::
+
+  OVMS# server v3 tlsclient import <cert_path> <key_path>
+  OVMS# server v3 tlsclient status
+  OVMS# server v3 tlsclient info
+  OVMS# server v3 tlsclient check
+  OVMS# server v3 tlsclient reload
+  OVMS# server v3 tlsclient clear
+
+Files are stored under ``/store/tls/``. Use ``check`` to validate the cert/key pair,
+``reload`` to reconnect and apply changes.
+
+
 ------------------
 Custom Server APIs
 ------------------

diff --git a/docs/source/userguide/components.rst b/docs/source/userguide/components.rst
@@ -123,6 +123,37 @@ Send all ``v.b`` metrics except ``v.b.soc``::
   OVMS# config set server.v3 metrics.include v.b.*
   OVMS# config set server.v3 metrics.exclude v.b.soc
 
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Broker compatibility options
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Some brokers have additional requirements:
+
+- ``retain.depth.limit`` (default: ``no``) — omits the RETAIN flag on topics deeper than 8 path segments. Needed for AWS IoT Core, which silently drops retained publishes on topics deeper than 8 levels.
+
+Example::
+
+  OVMS# config set server.v3 retain.depth.limit yes
+
+.. note:: AWS IoT Core requires the MQTT keepalive to be 1200 seconds or less.
+  Set ``updatetime.keepalive`` accordingly::
+
+    OVMS# config set server.v3 updatetime.keepalive 1200
+
+These options can also be set from the **Config → Server V3 (MQTT)** web page.
+
+^^^^^^^^^^^^^^^^^^^^^^^^^
+TLS client authentication
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The module supports client certificate authentication (mTLS) for brokers that need it.
+Paste the PEM certificate and key into the **Config → Server V3 (MQTT)** web page,
+or use the CLI::
+
+  OVMS# server v3 tlsclient import /sd/client.crt /sd/client.key
+
+See :doc:`commands` for the full list of ``tlsclient`` commands.
+
 -------------------------------
 Upgrading from OVMS v1/v2 to v3
 -------------------------------

diff --git a/docs/source/userguide/ssltls.rst b/docs/source/userguide/ssltls.rst
@@ -48,6 +48,10 @@ These trusted certificate authorities are used by the various module in the OVMS
 establishing SSL/TLS connections (in order to verify the certificate of the server being
 connected to).
 
+.. note:: For MQTT brokers that require **client certificate authentication** (mTLS),
+  see the :doc:`Server V3 configuration <components>` section on TLS client authentication
+  and the ``server v3 tlsclient`` :doc:`commands <commands>`.
+
 
 ----------------------------------
 How to get the CA PEM for a Server

diff --git a/vehicle/OVMS.V3/changes.txt b/vehicle/OVMS.V3/changes.txt
@@ -1,6 +1,28 @@
 Open Vehicle Monitor System v3 - Change log
 
 ????-??-?? ???  ???????  OTA release
+- Server V3 (MQTT): AWS IoT Core compatibility fixes:
+    - mTLS client certificate authentication: the module now supports X.509 client
+      certificates for MQTT broker authentication (required by AWS IoT Core and other
+      brokers that use mutual TLS instead of username/password).
+      The client certificate and private key are stored in server.v3 config and managed
+      via the web UI (Config -> Server V3: "TLS client authentication" section) or CLI:
+        server v3 tlsclient import <cert_path> <key_path>  -- load PEM files from storage
+        server v3 tlsclient status                         -- show cert/key status
+        server v3 tlsclient info                           -- show certificate metadata
+        server v3 tlsclient check                          -- validate cert/key pair
+        server v3 tlsclient clear                          -- remove cert and key
+        server v3 tlsclient reload                         -- reconnect to apply changes
+    - Fixed MQTT CONNECT: empty username/password strings are now sent as absent (NULL)
+      rather than empty, matching broker expectations for certificate-only authentication.
+    - New config param retain.depth.limit (bool, default no):
+      When enabled, metric topics with more than 8 path segments are published without the
+      MQTT RETAIN flag. AWS IoT Core silently rejects retained publishes on topics deeper
+      than 8 segments; this guard ensures all other metrics remain retained while deep topics
+      still reach live subscribers. Disable for brokers that support retained messages on
+      arbitrarily deep topics.
+      Exposed in the web UI (Config → Server V3: "Limit retain to 8-segment topics") and
+      shown in CLI output of 'server v3 status'.
 - Server V3: the MQTT client ID to use can now be configured. While not normally necessary, changing the
     client ID may be necessary to discard an existing MQTT server session when changing the username.
   New configs: