Configuration for IoT devices

[maelp]

My IoT devices are pre-loaded with certificates, and each one has a private key, and my server has the corresponding public key

how do I use that to only allow my devices to connect to the MQTT broker, and also to only allow devices to publish on their "namespaced" channel, eg if the "Name" in the certificate is "device-xyz", it can only read/write on /devices/device-xyz or similar?