Skip to main content
Skip table of contents

Certificate based authentication

ClearBlade IoT Enterprise supports public key (asymmetric) and mTLS device authentication types.

Public key (asymmetric) authentication

A device must create a private/public key pair. The private key is only left local on the device, while the public key is uploaded to the ClearBlade IoT Enterprise system’s device record.

See Creating key pairs to create the key pair.

To authenticate, the device will construct a JSON Web Token (JWT) based on the private key and present that on the MQTT authentication or REST endpoint’s connect packet. The JWT is used in place of the standard ClearBlade auth token.

  • The device uses the private key to sign the JWT. The token is passed to ClearBlade IoT Core as proof of the device's identity.

  • The service uses the device’s public key (uploaded before the JWT is sent) to verify the device's identity.

To add the public key to the device, use the following steps and example images:

  1. Find the device in the system’s device table:


  2. Right-click the device’s gear icon and choose Public Keys, then click the Add button:

  3. Pick the appropriate key format:

    ClearBlade IoT Core supports the RSA and elliptic curve algorithms. For details on key formats, see Public key format.


ClearBlade IoT Enterprise requires these reserved claim fields. They may appear in any order in the claim set.



Required for


Issued at: The timestamp when the token was created, specified as seconds since 00:00:00 UTC, January 1, 1970. The server may report an error if this timestamp is too far in the past or future (allowing 10 minutes for skew).



Expiration: The timestamp when the token stops being valid, specified as seconds since 00:00:00 UTC, January 1, 1970. The token’s maximum lifetime is 24 hours + skew.

  • The server will close all MQTT connections a few seconds after the token expires (allowing for skew) because MQTT cannot refresh credentials. A new token must be minted to reconnect. Because of the allowed skew, the token’s minimum lifetime will be equal to the acceptable clock skew.

  • Each HTTP request must include a JWT, regardless of expiration time.

  • Clients in Network Time Protocol (NTP) capable devices can use the Google Public NTP Server to keep the device clock synchronized; the authentication requirement is to keep the clock synchronized with an up to 10-minute skew.



System key: This must be a single string containing the ClearBlade registry’s system key. This can be obtained by clicking the API keys button at the top-right of the ClearBlade Registry Details page.



User ID: This must be a single string containing the deviceId.



User type: This must be an integer hard-coded to value 3.


The optional nbf(not before) claim will be ignored.

A JSON representation of the required reserved fields in a ClearBlade IoT Core JWT claim set is shown below:

  "aud": "my-project",
  "iat": 1509654401,
  "exp": 1612893233

Only devices will be supported with this method.

Client type

Client ID

Username field

Password field

New ClearBlade client via JWT



JWT token with sk, uid, and ut claims

The Python file shows an example of generating a JWT for the MQTT client’s password.


Devices may connect using an mTLS approach to gain their access token. ClearBlade handles mTLS auth and TLS termination.

The mTLS configuration will be valid for all systems running in the IoT Enterprise instance.

Currently, no user interface administration is available to manage the loaded certificates. All certificates must be loaded to the server via API calls.


The device name must be the cn (common name) in the cert presented. The platform verifies that the certificate passed in is for the device.



GET, PUT (upsert), and DELETE support. Admin only.


Body required:

{"root_ca": "certificate in PEM format. <required>", "crl": "certificate revocation list in PEM format. <optional>"}

Returns nil on success


No query support. Get the latest mTLS settings in JSON:

{"root_ca": "certificate in PEM format", "crl": "certificate revocation list in PEM format"}


No query support. Deletes mTLS settings.


GET, POST, and DELETE support. Admin only.


Use to revoke a certificate. Body required:

“certificate_hash”: "sha256 hash of the ASN.1 DER format of the certificate <required>",
"description": <optional>

Returns nil on success.


Query supported. An empty query gets all revoked certificates, including those that match the query.

{"id": <id1>, "certificate_hash": <certificate1_hash>, "timestamp": <timestamp1>},
{"id": <id2>, "certificate_hash": <certificate2_hash>, "timestamp": <timestamp2>}


Query supported. An empty query deletes all revoked certificates and returns nil on success.


A device can authenticate (i.e., receive a token) using mTLS by sending an HTTP POST request to port 444 of the relevant URL.

The following curl can be used as an example:

curl -X POST "" -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"system_key": "yourSystemKey", "name": "yourDeviceName"}' --cert "path/to/yourDeviceCert.pem" --key "path/to/yourDeviceKey.pem"

The returned response will contain a device token.

Similarly, this Python code can be used as an example:

import requests

url = ""
headers = {"Content-Type": "application/json", "Accept": "application/json"}
data = '{"system_key": "yourSystemkey", "name": "yourDeviceName"}'
resp =, headers=headers, data=data, verify=True, cert=("path/to/yourDeviceCert.pem", "path/to/yourDeviceKey.pem"))

deviceToken = str(resp["deviceToken"])

ALPN (Application Layer Protocol Negotiation)

ClearBlade supports mTLS authentication for devices connecting via MQTT using ALPN on port 444. The ALPN protocol name is clearblade_mqtt_mtls. Device Just-in-Time (JIT) provisioning is also supported. A Root CA certificate must be added via the mTLS admin endpoints before connecting devices via mTLS.

To connect to MQTT using mTLS, the device needs to set the following in the MQTT Connect packet:

  1. The Username field must be a stringified JSON object with the device name set, amongst other column values, if required for JIT provisioning. For example: '{"name": "myDevice"}'

  2. The Password field must contain the system key.

Here’s a Python example using the Paho MQTT client:

from __future__ import print_function
import sys
import ssl
import time
import datetime
import logging, traceback
import paho.mqtt.client as mqtt
IoT_protocol_name = "clearblade_mqtt_mtls"
cb_iot_endpoint = "<CLEARBLADE_URL>" # For example
username = '{"name": "device-1"}'
password = "<SYSTEM_KEY>"
logger = logging.getLogger()
handler = logging.StreamHandler(sys.stdout)
log_format = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
def ssl_alpn():
        #debug print opnessl version"open ssl version:{}".format(ssl.OPENSSL_VERSION))
        ssl_context = ssl.create_default_context()
        ssl_context.load_cert_chain(certfile=cert, keyfile=private)
        return  ssl_context
    except Exception as e:
        print("exception ssl_alpn()")
        raise e
if __name__ == '__main__':
    topic = "test/date"
        mqttc = mqtt.Client(client_id="<CLIENT_ID>")
        ssl_context= ssl_alpn()
        mqttc.username_pw_set(username=username, password=password)"start connect")
        mqttc.connect(cb_iot_endpoint, port=444)"connect success")
        while True:
            now ='%Y-%m-%dT%H:%M:%S')
  "try to publish:{}".format(now))
            mqttc.publish(topic, now)
    except Exception as e:
        logger.error("exception main()")
        logger.error("e obj:{}".format(vars(e)))
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.