Cloud
Klyff Platform Cloud Edge IoT Gateway Trendz Analytics Mobile Application MQTT Broker
Europe
North America N. Virginia Europe Frankfurt
Documentation > Security > CoAP Transport > X.509 Certificate based authentication
Getting Started
Devices Library Guides API FAQ
On this page

X.509 Certificate Based Authentication for CoAP over DTLS

X.509 Certificates are used to setup mutual (two-way) authentication for CoAP over DTLS. It is similar to access token authentication, but uses X.509 Certificate instead of token.

Instructions below will describe how to connect CoAP client using X.509 Certificate to Klyff Cloud.

Step 1. Generate Client certificate

Use the following command to generate the self-signed EC based private key and x509 certificate. The command is based on the openssl tool which is most likely already installed on your workstation:

1
2

openssl ecparam -out key.pem -name secp256r1 -genkey
openssl req -new -key key.pem -x509 -nodes -days 365 -out cert.pem

The output of the command will be a private key file key.pem and a public certificate cert.pem. We will use them in next steps.

Step 2. Provision Client Public Key as Device Credentials

Go to Klyff Web UI -> Devices -> Your Device -> Device Credentials.

Select X.509 Certificate device credentials, insert the contents of cert.pem file and click save. Alternatively, the same can be done through the REST API.

Step 3. Connect DTLS CoAP Client using X.509 certificate

Install the CoAP client with DTLS support on Linux by following the next steps:

  • step 1: clone libcoap git repo:
1

git clone https://github.com/obgm/libcoap --recursive --depth 1
  • step 2: navigate into libcoap directory:
1

cd libcoap
  • step 3: execute next commands and then run ./autogen.sh script:
1

sudo apt-get update

1

sudo apt-get install autoconf libtool libssl-dev

1

./autogen.sh
  • step 4: run ./configure script with next options:
1

./configure --with-openssl --disable-doxygen --disable-manpages --disable-shared
  • step 5: execute next command:
1

make
  • step 6: execute next command:
1

sudo make install

Finally, run the example script below to validate DTLS with X.509 Certificate auth and subscribe for shared attributes updates: The coap-client example below demonstrates how to connect to Klyff Cloud or to any other Klyff CoAP server that has valid and trusted certificate.

1
2

coap-client-openssl -v 9 -c cert.pem  -j key.pem -m POST \
-t "application/json" -e '{"temperature":43}' coaps://coap.eu.thingsboard.cloud/api/v1/telemetry

Don’t forget to replace coap.eu.thingsboard.cloud with the host of your Klyff instance.