Mistake on this page? Email us

Connection configuration

Device Management provides different ways of onboarding and connecting a device to the cloud. This also has an effect on how you can renew the certificates and maintain the connection. Read more about the device onboarding and connection options.

Use bootstrap server

FCU parameter name use-bootstrap
Name on the device mbed.UseBootstrap
Details Determines whether a device should attempt to bootstrap with the Device Management bootstrap service to receive initial configuration and certificates for the DTLS communications with Device Management:
* If set to 1, you must provide the rest of the bootstrap configuration.
* If set to 0, you must provide the LwM2M configuration instead.

Mandatory Yes
FCU configuration source Configuration file
KCM type Configuration parameter
Format in KCM Integer, 4 bytes, machine endianity, 1 (true), 0 (false)
Validations in FCU Present, boolean
Validations in FCC Present and size of 4 bytes

Bootstrap configuration

Note: Bootstrap configuration can be omitted if mbed.UseBootstrap is set to FALSE.

Tip: Bootstrap server information is available on Device Management Portal > Device identity > Server.

Bootstrap server URI

FCU parameter name bootstrap-server-uri or bootstrap-server-uri-first-to-claim
Name on the device mbed.BootstrapServerURI
Details The URI of the Device Management bootstrap service, which you can find on Device Management Portal.

The FCU parameter name is case dependent:
- If first-to-claim is false: bootstrap-server-uri
- If first-to-claim is true: bootstrap-server-uri-first-to-claim.



Mandatory/optional Mandatory only if mbed.UseBootstrap is true
FCU configuration source Configuration file
KCM type Configuration parameter
Format in KCM String
Validations in FCU - Present/absent based on use-bootstrap=true. URI with CoAP/CoAPs scheme.

- If first-to-claim is false: validate that it contains the aid query parameter
- If first-to-claim is true: validate it doesn't contain the aid query parameter


Validations in FCC - Present/absent based on mbed.UseBootstrap=true. URI with CoAP/CoAPs scheme.

- If mbed.FirstToClaim is false or doesn't exist: validate that it contains the aid query parameter
- If mbed.FirstToClaim is true: validate it doesn't contain the aid query parameter


Bootstrap server CA certificate

FCU parameter name bootstrap-server-ca-certificate-file
Name on the device mbed.BootstrapServerCACert
Details Certificate of the Device Management bootstrap server CA, which is used to sign the bootstrap server certificate. Because the bootstrap certificate itself is renewed periodically, the device is configured with a CA certificate, which signs the actual server certificate.
Mandatory/optional Mandatory only if mbed.UseBootstrap is true
FCU configuration source File referenced by the configuration file
KCM type Certificate
Format in KCM DER
Validations in FCU Present/absent based on use-bootstrap=true, valid supported-crypto-scheme
Validations in FCC Present, valid DER format

Bootstrap device certificate

FCU parameter name Folder derived from API parameter device_keys_location
Name on the device mbed.BootstrapDeviceCert
Details Factory assigned device credentials, which the device uses to authenticate with the bootstrap service, as required by the LwM2M 1.0 standard.
Mandatory/optional Mandatory only if mbed.UseBootstrap is true
FCU configuration source
Depends on device-key-generation-mode:
by_toolFCU generates internally (when FCU acts as a CA)
externally_suppliedFile BootstrapDeviceCert.der or BootstrapDeviceCert.pem in the device configuration folder (derived from API parameter device_keys_location).
Note: For certificate chains, only the PEM format is supported.
If a certificate chain is used, the length of chain stored on the device depends on the device-certificate-chain-depth configuration parameter.
If the FCU generates or signs certificate, the certificate chain is derived from the FCU certificate chain.
KCM type Certificate
Format in KCM DER
Validations in FCU
  • Present/absent based on use-bootstrap=true.
  • Not self-signed.
  • CA certificate valid-from < bootstrap device certification valid-from < now.
  • Expiration > 10y.
  • Valid supported-crypto-scheme.
  • ExtendedUsage=id-kp-clientAuth.
  • If a certificate chain, all certificates are validated for valid supported-crypto-scheme (a valid PEM formatted certificate chain is expected).
  • Validations in FCC
  • Present, valid DER format and not self-signed.
  • CA certificate valid-from < bootstrap device certification valid-from < now.
  • Expiration > 10y.
  • ExtendedUsage=id-kp-clientAuth.

    Note: If mbed.BootstrapDeviceCert is a certificate chain, the end-entity certificate is validated as described above. Every other certificate in the chain is validated to ensure that it signed by its predecessor (the previous certificate in the chain).

  • Bootstrap device private key

    FCU parameter name Folder derived from API parameter device_keys_location
    Name on the device mbed.BootstrapDevicePrivateKey
    Details Private key of factory-assigned device credentials, corresponding to the public key in the device bootstrap certificate.
    Mandatory/optional Mandatory only if mbed.UseBootstrap is true
    FCU configuration source
    Depends on device-key-generation-mode:
    by_toolFCU generates internally (when FCU acts as a CA)
    externally_suppliedFile BootstrapDevicePrivateKey.der or BootstrapDevicePrivateKey.pem in the device configuration folder (derived from API parameter device_keys_location)
    KCM type Private key Format in KCM DER Validations in FCU Present/absent based on use-bootstrap=true Validations in FCC Present, valid DER format and private key format

    LwM2M configuration

    Note: LwM2M configuration can be omitted if mbed.UseBootstrap is set to TRUE.

    Tip: LwM2M server information is available on Device Management Portal > Device identity > Server.

    LwM2M server URI

    FCU parameter name lwm2m-server-uri
    Name on the device mbed.LwM2MServerURI
    Details URI of the Device Management device management service, which you can find on the portal.
    Mandatory/optional Mandatory only if mbed.UseBootstrap is false
    FCU configuration source Configuration file
    KCM type Configuration parameter
    Format in KCM String
    Validations in FCU Present/absent based on use-bootstrap=false. URI with CoAP/CoAPs scheme, include the aid query parameter
    Validations in FCC Present, not empty and starts with coap

    LwM2M server CA certificate

    FCU parameter name lwm2m-server-ca-certificate-file
    Name on the device mbed.LwM2MServerCACert
    Details Certificate of the Device Management device management server CA, which is used to sign the device management server certificate. Because the server certificate itself is renewed periodically, the device is configured with the CA certificate that signs the actual server certificate.
    Mandatory/optional Only mandatory if mbed.UseBootstrap is false
    FCU configuration source File referenced by the configuration file
    KCM type Certificate
    Format in KCM DER
    Validations in FCU Present/absent based on use-bootstrap=false. Valid supported-crypto-scheme
    Validations in FCC Present, valid DER format

    LwM2M device certificate

    FCU parameter name Folder derived from API parameter device_keys_location
    Name on the device mbed.LwM2MDeviceCert
    Details Factory assigned device credentials, which the device uses to authenticate with the LwM2M management service, as required by the LwM2M 1.0 standard. If the bootstrap service is not used (UseBootstrap=FALSE), this certificate can't be renewed, and thus the expiration of the certificate must be set to 35 years.
    Mandatory/optional Only mandatory if mbed.UseBootstrap is false
    FCU configuration source
    Depends on device-key-generation-mode:
    by_toolFCU generates internally (when FCU acts as a CA)
    externally_suppliedFile LwM2MDeviceCert.der or LwM2MDeviceCert.pem in the device configuration folder (derived from API parameter device_keys_location).
    Note: for certificate chains only PEM format is supported.
    In case a certificate chain is used, the length of chain stored on the device depends on device-certificate-chain-depth configuration parameter.
    In case FCU generates or signs certificate, certificate chain is derived from FCU certificate chain.
    KCM type Certificate Format in KCM DER Validations in FCU
  • Present/absent based on use-bootstrap=false.
  • Not self-signed.
  • CA cert valid-from < LwM2M device certificate valid-from < now.
  • Expiration > 10y.
  • Valid supported-crypto-scheme.
  • ExtendedUsage=id-kp-clientAuth.
  • The OU sub-field of the subject match the aid provided as part of the LwM2M server URI.
  • If a certificate chain, all certificates are validated for valid supported-crypto-scheme (a valid PEM formatted certificate chain is expected).
  • Validations in FCC Present, valid DER format and not self-signed.
  • Present, valid DER format and not self-signed.
  • CA certificate valid-from < bootstrap device certification valid-from < now.
  • Expiration > 10y.
  • ExtendedUsage=id-kp-clientAuth.

    Note: If mbed.LwM2MDeviceCert is a certificate chain, the end-entity certificate is validated as described above. Every other certificate in the chain is validated to ensure that it signed by its predecessor (the previous certificate in the chain).

  • LwM2M device private key

    FCU parameter name Folder derived from API parameter device_keys_location
    Name on the device mbed.LwM2MDevicePrivateKey
    Details Private key of factory-assigned device LwM2M certificate, corresponding to the LwM2M public key certificate.
    Mandatory/optional Only mandatory if mbed.UseBootstrap is false
    FCU configuration source
    Depends on device-key-generation-mode:
    by_toolFCU generates internally (when FCU acts as a CA)
    externally_suppliedFile LwM2MDevicePrivateKey.der or LwM2MDevicePrivateKey.pem in the device configuration folder (derived from API parameter device_keys_location)
    KCM type Private key Format in KCM DER Validations in FCU Present/absent based on use-bootstrap=false Validations in FCC Present, valid DER format and private key format