LWM2M Client With X.509 Certificate

RE: LWM2M Client With X.509 Certificate

SeppoTakalo — Fri, 20 Feb 2026 10:22:13 GMT

[quote userid="131464" url="~/f/nordic-q-a/115127/lwm2m-client-with-x-509-certificate/561402"]Certificates have a limited validity. How are they to be updated when programmed to the modem memory?[/quote]

The update from LwM2M engine to modem is implemented in our extension to the Zephyr's LwM2M client here https://github.com/nrfconnect/sdk-nrf/blob/71ea8751dc421778f3f554e4db0c1c89d07351bc/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c

So if you have

CONFIG_LWM2M_CLIENT_UTILS=y
CONFIG_LWM2M_CLIENT_UTILS_SECURITY_OBJ_SUPPORT=y

then certificates that are written into LwM2M engine's registry, are automatically written to modem when connection is initiated.

Bootstrap server writes credentials for LwM2M client. So it is used to rotate keys.

RE: LWM2M Client With X.509 Certificate

Maarten "merethan" — Tue, 17 Feb 2026 19:01:11 GMT

Certificates have a limited validity. How are they to be updated when programmed to the modem memory?

Same question with anything compiled in as a static const char.

This sounds to me, when certificates are used as authorization & authentication mechanism, a device is essentially bricked after a year or two unless a FOTA update is done in time.

This biennial FOTA update should then come with a new set of certificates and key. Or, when the certs & key are in the modem memory, somehow at bootup figure which are programmed to it & update them if needed.

Is my understanding correct here?

RE: LWM2M Client With X.509 Certificate

SeppoTakalo — Fri, 04 Oct 2024 10:42:30 GMT

Let me clarify few more things.

When writing certificates and CA certificates to modem, please note that CA certificate that you write should be the one that is used by the target server. Not your own CA that you used to generate the client certificate.

So then it depends on the server configuration whether it trust your own CA.
And when you program the CA that server uses, then modem trusts the server.

If we use Leshan as an example, you can fetch the server certificate with OpenSSL command line and use that as a CA chain that is programmed to the modem

openssl s_client -dtls -showcerts -connect leshan.eclipseprojects.io:5684

Then what comes to lwm2m_security_set_certificate(), it has a same effect as those separate writes in LwM2M security modes. If you use that it causes certificates to be provisioned to the modem every time the client boots, which might not be wanted behaviour.

But anyhow, here is an example how to use it. Modify the lwm2m_setup() to look like this:

static int lwm2m_setup(void)
{
	/* Save power by not updating timestamp on device object */
	lwm2m_update_device_service_period(0);

	/* Manufacturer dependent */
	/* use IMEI as serial number */
	lwm2m_app_init_device(imei_buf);
	lwm2m_init_security(&client, endpoint_name, NULL);

	/* Security Mode */
	static const char certificate[] =
		"-----BEGIN CERTIFICATE-----\n"
		"...clip..."
		"-----END CERTIFICATE-----";

	static const char key[] =
		"-----BEGIN EC PRIVATE KEY-----\n"
		"...clip..."
		"-----END EC PRIVATE KEY-----";

	static const char root_ca[] =
		"-----BEGIN CERTIFICATE-----\n"
		"...clip..."
		"-----END CERTIFICATE-----";

	lwm2m_set_string(&LWM2M_OBJ(LWM2M_OBJECT_SECURITY_ID, 0, 0), "coaps://leshan.eclipseprojects.io:5684");
	lwm2m_security_set_certificate(0, certificate, sizeof(certificate), key, sizeof(key),
				       root_ca, sizeof(root_ca));

RE: LWM2M Client With X.509 Certificate

dejans — Thu, 03 Oct 2024 16:03:12 GMT

Hi,

The easiest way to run LwM2M client in X.509 mode is to write certificates to the modem before application starts.
1. create own root CA certificate

## Generate private CA certificate
 
You only need to generate these once.
On a commercial operations, you don't do this, but instead rely on real CA authority.
 
openssl ecparam -genkey -name prime256v1 -out ca.key
openssl req -x509 -new -SHA256 -nodes -key ca.key -days 3650 -subj '/O=My Company/CN=My root CA/' -out ca.crt

2. generate certificate and private key for your client device

## Generate certificate and private key for the client
 
openssl ecparam -genkey -name prime256v1 -out client.key
openssl req -x509 -new -SHA256 -nodes -key client.key -CA ca.crt -CAkey ca.key -subj '/CN=urn:imei:<your_15_digit_imei_goes_here>/' -out client.crt

3. flash the device with AT client sample and write certificates to the modem using nRF Cellular Monitor -> Certification Manager.
4. build LwM2M application without default PSK key so that it uses whatever has been already provisioned

west build -b nrf9151dk/nrf9151/ns -- -DCONFIG_APP_LWM2M_PSK="\"\""

Best regards,
Dejan

RE: LWM2M Client With X.509 Certificate

dejans — Thu, 03 Oct 2024 09:36:34 GMT

Hi,

I have asked internally for more specific information with regard to your question. We will look into this. I will get back to you probably during next week.

Best regards,
Dejan

RE: LWM2M Client With X.509 Certificate

tomgud — Tue, 01 Oct 2024 13:43:03 GMT

I have seen the reference you provided, but it is not clear on how to implement it in the SDK v2.7.0 sample "Cellular: LwM2M Client". Is lwm2m_security_set_certificate still needed when lwm2m_security_object_ids are being set? Could you please provide exact instructions on how to set up X.509 security object in the scope of the "Cellular: LwM2M Client" sample.

Thanks!

RE: LWM2M Client With X.509 Certificate

dejans — Tue, 01 Oct 2024 10:56:28 GMT

Hi,

When X.509 certificates are used, it is necessary to set up security object for X.509 certificate mode. There are several lwm2m_security_object_ids that need to be set. You can have a look at LwM2M security modes.

Best regards,
Dejan