Professional Edition
ThingsBoard Documentation
Cloud Professional Edition Community Edition Edge IoT Gateway License Server Trendz Analytics Mobile Application PE Mobile Application
Try it now Pricing
Documentation > Security > CoAP Transport > X.509 Certificate based authentication
Getting Started
Guides Installation Architecture API FAQ

On this page

X.509 Certificate Based Authentication for CoAP over DTLS

X.509 Certificates are used to setup mutual (two-way) authentication for CoAP over DTLS. It is similar to access token authentication, but uses X.509 Certificate instead of token.

Instructions below will describe how to connect CoAP client using X.509 Certificate to ThingsBoard Cloud.

Step 1. Generate Client certificate

Use the following command to generate the self-signed EC based private key and x509 certificate. The command is based on the openssl tool which is most likely already installed on your workstation:

openssl ecparam -out key.pem -name secp256r1 -genkey
openssl req -new -key key.pem -x509 -nodes -days 365 -out cert.pem 

The output of the command will be a private key file key.pem and a public certificate cert.pem. We will use them in next steps.

Step 2. Provision Client Public Key as Device Credentials

Go to ThingsBoard Web UI -> Device Groups -> Group “All” -> Your Device -> Device Credentials.

Select X.509 Certificate device credentials, insert the contents of cert.pem file and click save. Alternatively, the same can be done through the REST API.

Step 3. Connect DTLS CoAP Client using X.509 certificate

Install the CoAP client with DTLS support on Linux by following the next steps:

  • step 1: clone libcoap git repo:
git clone --recursive
  • step 2: navigate into libcoap directory:
cd libcoap
  • step 3: execute next commands and then run ./ script:
sudo apt-get update
sudo apt-get install autoconf libtool libssl-dev
  • step 4: run ./configure script with next options:
./configure --with-openssl --disable-doxygen --disable-manpages --disable-shared
  • step 5: execute next command:
  • step 6: execute next command:
sudo make install

Finally, run the example script below to validate DTLS with X.509 Certificate auth and subscribe for shared attributes updates: The coap-client example below demonstrates how to connect to ThingsBoard Cloud or to any other ThingsBoard CoAP server that has valid and trusted certificate.

coap-client-openssl -v 9 -c cert.pem  -j key.pem -m POST \
-t "application/json" -e '{"temperature":43}' coaps://

Don’t forget to replace with the host of your ThingsBoard instance.