Skip to content

Runtime Certificate and Private Key Configuration#


Anjay library supports secure connection between device and server. Encryption can be achieved with the use of Pre-Shared Key as it was described in nRF9160 DK, nRF7002 DK and Thingy:91 pages or with certificate-based cryptography.

In Certificate Mode an asymmetrical algorithm is used to authenticate the connection endpoints and initialize payload encryption. Appropriate certificates need to be generated for both the LwM2M Client and the LwM2M Server. Public certificates of both parties are mutually available, and each party also has access to its corresponding private key.

You can read more about secure communication on Anjay's documentation page.



Go through the README's Getting Started part.

  • Installed OpenSSL
  • Installed minicom (for Linux), RealTerm, PuTTy (for Windows), or another serial communication program.
  • An active Coiote IoT DM user account.


The runtime certificate and private key configuration do not work with other boards.

Build and flash the device#

  1. Connect the nRF9160 DK board to a USB port of your machine.
  2. Enter the command line interface on your machine and change the directory to the one where you set up the Zephyr project (usually, it's ~/zephyrproject).
  3. Go to your local Anjay-zephyr-client/demo directory
  4. Set manifest file to west-nrf.yml, and do west update:

    west config manifest.path Anjay-zephyr-client/demo
    west config manifest.file west-nrf.yml
    west update
  5. Build a project with a runtime certificate and private key.

    In order to build application using software cryptography, build using following command:

    west build -b nrf9160dk_nrf9160_ns -p -- -DEXTRA_CONF_FILE="overlay_nrf_mbedtls.conf"


    This feature works with nRF9160 DK starting from revision v0.14.0, which is used by default for nrf9160dk_nrf9160_ns target, but you can pass revision explicitly in order to protect against further NCS updates.

  6. Flash the board with west flash command.

Generate certificate#

The certificate and private key based on the SECP256R1 curve can be provided through the shell interface in .pem format. To generate To generate a self-signed certificate and key pair open a terminal in the Anjay-zephyr-client/demo directory and use the following commands.

openssl ecparam -name secp256r1 -out ecparam.der
openssl req -new -x509 -nodes -newkey ec:ecparam.der -keyout demo-cert.key -out cert.pem -days 3650
openssl ec -in demo-cert.key -outform pem -out key.pem

Fragment of creating certificates


To use the certificate and private key with Coiote IoT DM you must specify a common name that is the same as the client endpoint name.

You will see two files cert.pem and key.pem created in the Anjay-zephyr-client/demo directory.

Configure the Client#

  1. Provide the generated certificate and private key through the shell in the serial communication program.


    Before setting configurations in Anjay you need to stop running Anjay by anjay stop command.

    Run these commands and paste the content of the files generated in the previous step.

    anjay config set public_cert
    anjay config set private_key

    Generate certificate in Anjay

  2. Save changes, start Anjay using anjay start command and go to the next step to add a device to Coiote IoT DM.

Add device to Coiote IoT DM#

  1. Upon logging in to Coiote IoT DM for the first time, you will see the Add your LwM2M device panel.


    If you had previously added a device, in Device inventory, click the Add device button.

  2. Select the Connect your LwM2M device directly via the Management server tile. Add via Mgmt

  3. In the Device credentials step:
    • In the Endpoint name enter your LwM2M device endpoint name, e.g. anjay-zephyr-demo.
    • In the Security mode section, select Certificate mode. Device credentials step
    • Click Upload a new certificate and Browse.
    • In the pop-up, go to the directory where your certificate has been generated, select the cert.pem file and click Open.
    • Click Add device.


The Endpoint name which you enter to the Coiote IoT DM should be the same as it is in the Client configuration.

  1. Click Next, Go to Summary to skip the third step, and Finish to see your Device Center. Registered device

Last update: May 16, 2024