nRF Cloud Certificate Update

This guide shows you how to generate and provision new nRF Cloud certificates for your Nordic Thingy:91 or nRF9160 development kit.


  1. To generate new nRF Cloud certificates you need to have a nRF Cloud account.
  2. For provisioning the certificates onto your device you need the nRF Connect for Desktop LTE Link Monitor application v1.1.1 or later. Download here.
  3. Make sure the Thingy:91 or nRF9160-DK has an application firmware that supports long AT commands up to 3kB. This can be done either by compiling the nRF Connect SDK asset tracker with the AT command interface library enabled or by compiling the at_client sample.
    In both cases the CONFIG_AT_CMD_RESPONSE_MAX_LEN configuration needs to be set to at least 3k.
  4. Enure your kit is running the latest modem FW. (v1.0.1 or later)

Pre-compiled application firmware for Thingy:91 can be found under the Thingy:91 download page, the included thingy91_at_client binaries (v0.2.3 and later) supports the needed long AT commands. A guide on how to update the Thingy:91 FW can be found here.

Pre-compiled application firmware for nRF9160-DK can be found under the nRF9160-DK download page and also supports the needed long AT commands.

Download new certificates

To download new certificates go into the account view on nRF Cloud. Then input your device IMEI number and PIN/HWID found on the label on the PCB into the Device Certificates card. HWID for nRF9160-DK and PIN for Thingy:91.

Then click the Download Certificate button.

Provision certificates

  1. Open nRF Connect for Desktop, launch LTE Link Monitor application and connect to the device using USB.
  2. Remove the SIM card and ensure the modem is in offline state (AT+CFUN=4) before updating certificates. Uncheck Automatic requests and use AT+CFUN? to read the state.
  3. Go to the Certificate manager tab either by clicking the button on the top or by using the shortcut Alt+3.
  4. Import the downloaded JSON file either by dragging and dropping it into the GUI or by clicking the Load from JSON button.
  5. Ensure Security tag is set to 16842753. Then provision the certificates by clicking the Update certificates button and observe that all the AT commands get the OK response.

Delete device

The device needs to be deleted from nRFCloud before the new certificates will work. 

Go into the account view on nRF Cloud. Then input your device IMEI number and PIN/HWID found on the label on the PCB into the Reset a Device card. HWID for nRF9160-DK and PIN for Thingy:91.

Then click the Reset Device button.


  • Remember to re-flash the asset tracker application, if the at_client was flashed and used for provisioning.
  • POLLHUP is expected the very first time the device connects after the above procedure has been completed. If the application does not automatically restart, do a manual restart of the device by toggling power (Thingy:91) or pressing the reset button (nRF9160-DK).
  • Since the above steps deletes your device it needs to be re-added to your account after the above steps are completed.
  • If updating certificates on a nRF9160-DK without PIN, its important to remember that after running through the above steps the kit should be added to nRF Cloud using the IMEI and PIN/HWID method, not the legacy button and switch method.