nRF Cloud CoAP connection fails with err -111 (self-signed CA certificate)https://devzone.nordicsemi.com/f/nordic-q-a/127576/nrf-cloud-coap-connection-fails-with-err--111-self-signed-ca-certificateHi, I&#39;m developing a custom board based on nRF9151 (similar to Thingy:91X) and trying to connect to nRF Cloud for location services (A-GNSS, Wi-Fi location, Cellular location). ## Environment - nRF Connect SDK: v3.1.1 en-USTelligent Community 13Wed, 08 Apr 2026 08:09:33 GMTRE: nRF Cloud CoAP connection fails with err -111 (self-signed CA certificate)https://devzone.nordicsemi.com/thread/564588?ContentTypeID=1Wed, 08 Apr 2026 08:09:33 GMT137ad170-7792-4731-bb38-c0d22fbe4515:c41f2606-ca0c-4caa-a23e-1403e1c17d2bPascal Hdz<p>Hello Min Kim,</p> <p>Do you still need help on this or can we close this ticket?</p> <p>Regards,</p> <p>Pascal.</p><div style="clear:both;"></div>RE: nRF Cloud CoAP connection fails with err -111 (self-signed CA certificate)https://devzone.nordicsemi.com/thread/564165?ContentTypeID=1Fri, 27 Mar 2026 09:40:33 GMT137ad170-7792-4731-bb38-c0d22fbe4515:61c31134-1e9e-4781-8b3b-96f8598e139cPascal Hdz<p>Hello Min Kim,</p> <p>You don&#39;t need to do the step 3 and 4 that you mention in your ticket description. The auto-onboarding will handle a remote provisioning of your device so please avoid doing it locally.</p> <p>Please follow the next steps:</p> <ul> <li><span>Select and unclaim the device from the claimed devices list:&nbsp;<a href="https://app.nrfcloud.com/#/claimed-devices">https://app.nrfcloud.com/#/claimed-devices</a></span></li> <li>Install <a href="https://github.com/nRFCloud/utils">nRF Cloud Utils</a>&nbsp;and delete the provisioned certificates with the next command:</li> </ul> <p>nrfcredstore&nbsp;&lt;YOUR_PORT&gt;&nbsp;deleteall</p> <ul> <li><span>Repeat the auto-onboarding process. You could repeat the process you did before or use&nbsp;nRF Cloud Utils as described in our documentation:&nbsp;<a href="https://docs.nordicsemi.com/bundle/nrf-cloud/page/GettingStarted.html#provision-one-device-using-provisioning-service">https://docs.nordicsemi.com/bundle/nrf-cloud/page/GettingStarted.html#provision-one-device-using-provisioning-service</a></span></li> </ul> <p><span>Regards,</span></p> <p><span>Pascal.</span></p><div style="clear:both;"></div>RE: nRF Cloud CoAP connection fails with err -111 (self-signed CA certificate)https://devzone.nordicsemi.com/thread/564131?ContentTypeID=1Thu, 26 Mar 2026 20:21:51 GMT137ad170-7792-4731-bb38-c0d22fbe4515:d492e554-3cdf-4b1d-974a-6a253b4afb51mincom<p><span class="font-semibold" data-streamdown="strong">Update: Still getting -111 error after nRF Cloud auto-onboarding</span></p> <p>I tried a different approach using the attestation token and &quot;Create new rule for onboarding to nRF Cloud&quot; option as described in the<span>&nbsp;</span><a href="https://wiki.makerdiary.com/nrf9151-connectkit/guides/ncs/samples/nrf_provisioning/" rel="noopener noreferrer" target="_blank">nRF9151 Connect Kit guide</a>.</p> <p><span class="font-semibold" data-streamdown="strong">Steps I followed:</span></p> <ol data-streamdown="ordered-list"> <li data-streamdown="list-item">Flashed<span>&nbsp;</span><code class="md-inline-variable-like">nrf_provisioning</code><span>&nbsp;</span>sample to custom board</li> <li data-streamdown="list-item">Got attestation token using<span>&nbsp;</span><code class="">nrf_provisioning token</code><span>&nbsp;</span>command</li> <li data-streamdown="list-item">In nRF Cloud UI: Claim Device &rarr; pasted attestation token &rarr; enabled &quot;Create new rule for onboarding to nRF Cloud&quot; &rarr; Create Rule and Claim Device</li> <li data-streamdown="list-item">Rebooted device - provisioning completed successfully</li> <li data-streamdown="list-item">nRF Cloud UI shows device status as<span>&nbsp;</span><span class="font-semibold" data-streamdown="strong">READY</span><span>&nbsp;</span>with: <ul data-streamdown="unordered-list"> <li data-streamdown="list-item">Cloud Access Key Generation: Succeeded</li> <li data-streamdown="list-item">Server Certificate: Succeeded (Generated for nRF Cloud auto-onboarding)</li> <li data-streamdown="list-item">Client Certificate: Succeeded (Generated for nRF Cloud auto-onboarding)</li> </ul> </li> </ol> <p><span class="font-semibold" data-streamdown="strong">Verification:</span></p> <div class="composer-message-codeblock"> <div class="ui-code-block"> <div class="ui-code-block-content"> <div class="ui-scroll-area" data-visibility="hover" data-direction="horizontal"> <div class="ui-scroll-area__viewport"> <div class="ui-scroll-area__content"> <div class="ui-default-code ui-code-block-default-code"> <div class="ui-default-code__content"> <div class="ui-default-code__line"> <div class="ui-default-code__line-content"><span>AT%CMNG=1,16842753</span></div> </div> <div class="ui-default-code__line"> <div class="ui-default-code__line-content"><span>%CMNG: 16842753,0,&quot;F6EEF665B61C4F9852AC3C84747D0EE92D0E79B24C187ABB7CEEF7A85E173534&quot;</span></div> </div> <div class="ui-default-code__line"> <div class="ui-default-code__line-content"><span>%CMNG: 16842753,1,&quot;E882E67370D8457A30341D0FC89E1E0E5D95F517263578A1DE547A459E0F1662&quot;</span></div> </div> <div class="ui-default-code__line"> <div class="ui-default-code__line-content"><span>%CMNG: 16842753,2,&quot;79EB6167AACF3A9333FFA8CF9F15EC351AF898F637499264B94F4F77444D59A0&quot;</span></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p>Server CA (Type 0) content is<span>&nbsp;</span><span class="font-semibold" data-streamdown="strong">identical</span><span>&nbsp;</span>to factory-provisioned Thingy:91 X (SEC_TAG 4242):</p> <ul data-streamdown="unordered-list"> <li data-streamdown="list-item">Amazon Root CA 1</li> <li data-streamdown="list-item">nRF Cloud CoAP CA</li> </ul> <p><span class="font-semibold" data-streamdown="strong">But still getting -111 error:</span></p> <div class="composer-message-codeblock"> <div class="ui-code-block"> <div class="ui-code-block-content"> <div class="ui-scroll-area" data-visibility="hover" data-direction="horizontal"> <div class="ui-scroll-area__viewport"> <div class="ui-scroll-area__content"> <div class="ui-default-code ui-code-block-default-code"> <div class="ui-default-code__content"> <div class="ui-default-code__line"> <div class="ui-default-code__line-content"><span>nrf_cloud_coap_transport: Could not connect to nRF Cloud CoAP server coap.nrfcloud.com, port: 13334. err: -111</span></div> </div> </div> </div> </div> </div> <div class="ui-scroll-area__scrollbar" data-scrollable="true"> <div class="ui-scroll-area__thumb"></div> </div> </div> </div> </div> </div> <p><span class="font-semibold" data-streamdown="strong">Additional observation:</span></p> <ul data-streamdown="unordered-list"> <li data-streamdown="list-item">Factory Thingy:91 X with SEC_TAG=4242 &rarr; Works ✓</li> <li data-streamdown="list-item">Factory Thingy:91 X with SEC_TAG=16842753 (auto-onboarded) &rarr; Does NOT work ✗</li> <li data-streamdown="list-item">Custom board with SEC_TAG=16842753 (auto-onboarded) &rarr; Does NOT work ✗</li> </ul> <p>It seems like the Client Certificate signed by nRF Cloud auto-onboarding is being rejected during TLS handshake, even though the Server CA is correct.</p> <p><span class="font-semibold" data-streamdown="strong">Questions:</span></p> <ol data-streamdown="ordered-list"> <li data-streamdown="list-item">Is there a difference between factory-provisioned certificates (SEC_TAG 4242) and auto-onboarded certificates (SEC_TAG 16842753)?</li> <li data-streamdown="list-item">Is there any additional configuration needed for auto-onboarded devices to use CoAP?</li> <li data-streamdown="list-item">How can I verify that the Client Certificate is correctly signed and trusted by nRF Cloud?</li> </ol><div style="clear:both;"></div>