This section is relevant only if you build the sample with TLS enabled.

The server CA for the default MQTT broker ( is provisioned to the network stack at runtime prior to establishing a connection to the server. The server CA (ca-cert.pem) is located in src/modules/transport/certs/. Ensure that if the server is changed, the CA needs to be updated as well.

To retrieve the server CA for a different MQTT broker, use the following command:

openssl s_client -connect <hostname>:<port> -showcerts -servername <hostname>

It is recommended to use the root (topmost) certificate of the returned certificate chain, as it is more stable. Intermediate certificates (located further down the chain) might change over time.


Provisioning of credentials at runtime is only meant for testing purposes. This must be avoided in a production scenario, especially if using client authenticated TLS where the private key will be exposed in flash.

To turn off runtime credential provisioning, disable either of the following Kconfig options:

The CA is provisioned to the security tag set by the CONFIG_MQTT_HELPER_SEC_TAG Kconfig option.

By default, the established TLS connection to the default MQTT broker ( does not require client authentication, which removes the need to provision client certificate and private key to the network stack. If the client certificate and private key has been generated for a server connection, the credentials must be provisioned the same way as the server CA. This occurs automatically when including the corresponding files src/modules/transport/certs/client-cert.pem and src/modules/transport/certs/private-key.pem.

To provision the certificates and the private key to the nRF9160 modem, complete the following steps:

  1. Download nRF Connect for Desktop.

  2. Update the modem firmware on the onboard modem of the nRF9160-based device to the latest version by following the steps in Updating the modem firmware.

  3. Build and program the nRF9160: AT Client sample to the nRF9160-based device as explained in Building and programming an application.

  4. Launch the LTE Link Monitor application, which is part of nRF Connect for Desktop.

  5. Click CERTIFICATE MANAGER located at the upper right corner.

  6. Copy the server root certificate into the CA certificate entry.

  7. Copy and paste the device certificate and the private key into the respective entries (Client certificate, Private key).

  8. Select a desired security tag (any positive integer in the range of 0 to 2147483647) and click Update certificates.


The default security tag set by the CERTIFICATE MANAGER 16842753 is reserved for communications with nRF Cloud. Overwriting this security tag entry will require you to flash new certificates if you want to establish a connection to the nRF Cloud.