Understanding Device Auth

Hello Mender Team,

I am trying to gain some understanding on the Device Authorization process.
The documentation is pretty good as shown here: Device Authentication

However, I am not able to grasp the part highlighted in bold about the device signing with a private key kept secretly on the device. I have provided to the device Identity Attributes, the public server.crt key and the artifact-verify-key.pem (for artifacts, and public). At which step is a private key provided/generated?

To obtain an auth token, the device sends an authentication request containing the identity attributes and its current public key . The request is signed with the respective private key (kept secret on the device), and the server uses the public key to verify the signature.

Would it be possible to explain this step?

By the way, thanks for the excellent support.

It can be found on your device /data/mender/mender-agent.pem. This file is automatically generated on first boot if not present and hence why you might not be aware of it.

You can also provide your own keys by following,


Well, that was straight to the point.
Very much appreciated!

As a follow up, if it is generated on boot, how does the server knows the public one?

It doesn’t which is why the initial connection is rejected until you explicit accept the device. If you use preauthorization, you are basically ensuring that the server knows the certificate ahead of time; usually by generating it offline and then copying into both the target filesystem and into the server.

Hi Mirzak and Drew,

All clear and checked.
Thank you for the explanation!