I am trying to gain some understanding on the Device Authorization process.
The documentation is pretty good as shown here: Device Authentication
However, I am not able to grasp the part highlighted in bold about the device signing with a private key kept secretly on the device. I have provided to the device Identity Attributes, the public server.crt key and the artifact-verify-key.pem (for artifacts, and public). At which step is a private key provided/generated?
To obtain an auth token, the device sends an authentication request containing the identity attributes and its current public key . The request is signed with the respective private key (kept secret on the device), and the server uses the public key to verify the signature.
It can be found on your device /data/mender/mender-agent.pem. This file is automatically generated on first boot if not present and hence why you might not be aware of it.
It doesn’t which is why the initial connection is rejected until you explicit accept the device. If you use preauthorization, you are basically ensuring that the server knows the certificate ahead of time; usually by generating it offline and then copying into both the target filesystem and into the server.