Securing your APIs using (client) certificates

In the next couple of days I’ll push a new release of both LoRa Server and LoRa App Server which will enable you to use client-side certificate authentication. Some certificate options are already available, but they were never fully implemented including client certificate authentication.

The flow in short:

  • You generate a set of certificates
  • You configure the LoRa Server API to use TLS (which will enable client certificate validation)
  • You configure the LoRa App Server API to use TLS (same…)

Then when creating or updating the network-server entity, you enter both the client certificates for LoRa App Server to connect to LoRa Server and LoRa Server to connect back to LoRa App Server.

In preparation I’ve creates some script so that you can create all certificates with one make command :slight_smile: I’ll also update the documentation to document this feature.

Note this feature is not yet released, but will be available in the next days.


Thanks for the greate work!

This has been released. Looking forward to your feedback on this :slight_smile:

The scripts make it very easy to generate the certs. Thanks.

BUT I AM BLOCKED. probably something in the configuration of the scripts needs to be changed.

-All components on local machine.
-certs created using scripts. CN for server certs is “localhost”. CN for client certs: ids used in the respective configurations. e.g. “010203” for loraserver. Allowed hosts : “”, “localhost”, “{pc name}”.
-config of componenets: path to certs set except for the network-controller (don’t know yet when this comes into play)

The moment the certs are set for the loraserver Network-server API, the lora-app-server is no longer running. N.B. the client certs for loraserver was copied to the lora-app-server’s folder. Did not copy the contents of the certificates in the Web UI because the lora-app-server doesn’t work anymore.

If you can tell me what might be the cause of this issue, I would be grateful

Plus this is what I get when I try to use the web api to add client certs:

N.B. the Lora Server api server certs have not been set in the config file because doing that causes the lora-app-server to stop running

Resolved my issues…

Could you share how you solved it? It could be valuable to other users :slight_smile:

Tried today to implement certificates on my chirpstack setup but it didnt work out.

I found it wery unclear in the documentation as to where in the config files all parts where supposed to be and googling wasnt helping.

I got som parts working but others didnt.

I would like to request som clearer examples of how the config files is supposed to look with all implemented as i find the docs at a bit confusing.

for now it ended with reverting to not using certs but i will try again.