Skip to main content

Migrate from CIS API to Device Trust Manager

DigiCert​​®​​ will deprecate the Certificate Issuance Service (CIS) API hosted in DigiCert CertCentral® platform on April 30, 2027. For customers using the CIS API for IoT and embedded device use cases, DigiCert​​®​​ recommends migrating to DigiCert® Device Trust Manager on the DigiCert® ONE platform.

Device Trust Manager is built for device and IoT certificate management use cases. It supports the core certificate lifecycle functions available through the CIS API and adds broader certificate management capabilities through APIs, a web portal, batch certificate requests, and standard protocols such as Enrollment over Secure Transport (EST) , Certificate Management Protocol (CMPv2) , Simple Certificate Enrollment Protocol (SCEP) , and Automated Certificate Management Environment (ACME) .

What this means for customers

Device Trust Manager supports the same core certificate lifecycle operations currently used in the CIS API for IoT and device trust workflows, including:

  • Certificate issuance

  • Certificate download

  • Certificate revocation

In addition, Device Trust Manager provides:

  • A web-based UI portal

  • Batch certificate requests

  • Support for standard certificate management protocols:

    • EST

    • CMPv2

    • SCEP

    • ACME

Key dates

  • Now to April 30, 2027 : Migration to Device Trust Manager. Once your migration has been completed and you are confident that issuance is working from Device Trust Manager, certificate issuance from your CIS account will be disabled.

  • April 30, 2027 : Certificate issuance through the CIS API will be disabled for all accounts.

  • After April 30, 2027 : Revocation and download of certificates previously issued through the CIS API will remain available until those certificates expire.

What changes

When you migrate from the CIS API to Device Trust Manager, you should expect changes in the following areas:

  • API endpoint URLs

  • Header parameters

  • Request and response formats

  • Certificate profile reference IDs

  • Error responses

  • Authentication credentials and API access management

You will need to update any scripts, tools, or integrations that currently connect to the CIS API so they work with the Device Trust Manager APIs.

What does not change

The following remain unchanged as part of this migration:

  • Existing certificates remain valid until they expire.

  • Your root CA continues to operate as it does today.

  • OCSP and CRL behavior remains the same.

  • Revocation for certificates issued through the CIS API remains available until those certificates expire.

  • You can issue certificates from both platforms in parallel during migration.

Recommended migration path

DigiCert​​®​​ recommends the following migration approach:

  1. Create a Device Trust Manager account in DigiCert® ONE.

  2. Decide on your Issuing CA strategy.

  3. If required, DigiCert​​®​​’s PKI Admin team will generate a new Issuing CA from your private root CA in an offline key ceremony.

  4. Create new certificate templates and certificate profile IDs in Device Trust Manager.

  5. Update your scripts and tooling to use the new API URLs, API headers, and request and response formats.

  6. Test certificate issuance and lifecycle operations in parallel.

  7. Cut over production issuance to Device Trust Manager.

  8. Retain the CIS API only for legacy certificate download and revocation as needed.

Issuing CA strategy

You can continue using your existing root CA. For Issuing CAs, DigiCert​​®​​ supports two approaches.

Option 1: Use new Issuing CAs in DigiCert® ONE

This is the recommended option.

DigiCert​​®​​ can sign new Issuing CAs from your existing root CA and host them within the CA service in DigiCert® ONE. This gives Device Trust Manager native access to certificate management and provides the greatest flexibility for managing certificate templates, certificate profiles, and lifecycle workflows.

Option 2: Continue using your existing Issuing CAs in CertCentral

Device Trust Manager supports a CA connector to your CertCentral account. With this approach, you can continue issuing certificates from an Issuing CA hosted in CertCentral.

This option may reduce migration effort, but it bypasses some of the native flexibility available in Device Trust Manager, including customization of certificate extensions through Device Trust Manager certificate templates and certificate profiles.

Frequently asked questions

How will this affect certificates already issued on my CIS account?

Certificates already issued through the CIS API are not affected. They remain active until they expire.

Can I still use my existing root CA?

Yes. There is no change to the operation of your root CA. You can continue to use it to validate certificates previously issued through the CIS API, and you can also use it to validate certificates issued through Device Trust Manager.

Can I still use my existing Issuing CAs?

Yes. You can either:

  • Create new Issuing CAs from your existing root CA and use them in DigiCert® ONE, which is the recommended approach, or

  • Continue issuing from your existing Issuing CAs in CertCentral by using the Device Trust Manager CA connector.

The recommended option gives you the most flexibility in Device Trust Manager.

Will I still be able to revoke certificates issued through the CIS API?

Yes. Revocation services for certificates issued through the CIS API will remain available until those certificates expire.

What APIs are provided by the CIS API, and are the same capabilities available in Device Trust Manager?

The CIS API supports these core functions:

  • Certificate issuance

  • Certificate download

  • Certificate revocation

Device Trust Manager supports the same core functionality and more. However, the API structure differs between the two platforms, so integration changes are required.

Will I be able to issue certificates from both the CIS API and Device Trust Manager in parallel?

Yes. You can use both platforms in parallel during migration. Issuing certificates from Device Trust Manager does not affect your ability to continue issuing certificates through the CIS API before the deprecation date.

Will certificates issued through the CIS API be visible in my Device Trust Manager account?

No. Certificates issued through the CIS API are not visible in Device Trust Manager.

What do I need to change in my integration to move from the CIS API to Device Trust Manager?

You should plan for changes to:

  • API URLs

  • header parameters

  • request and response formats

  • certificate profile reference IDs

  • error responses

  • authentication configuration

Certificate status support, including revocation checking, remains the same.

Is there a migration deadline, and what happens on April 30, 2027?

Yes. On April 30, 2027 , certificate issuance through the CIS API will be disabled.

After that date:

  • New certificate issuance through the CIS API will no longer be available.

  • Revocation of previously issued certificates will remain available until those certificates expire.

  • Download of previously issued certificates will remain available until those certificates expire.

Can DigiCert​​®​​ help migrate my existing certificate profiles and issuance workflows?

Yes. DigiCert​​®​​ can create certificate templates and assist with creating certificate profiles in your Device Trust Manager account to match the certificates you currently issue through the CIS API.

You are responsible for updating your scripts, integrations, and tooling to use the Device Trust Manager APIs.

Will my existing automation scripts continue to work unchanged?

No. Existing scripts and automation that call the CIS API for certificate issuance must be updated to use Device Trust Manager APIs before the deprecation date.

After certificate issuance is disabled in the CIS API, issuance requests sent to the CIS API will fail.

Can I revoke certificates issued from both systems in one place?

No. Certificates issued through the CIS API must be revoked through the CIS API. Certificates issued through Device Trust Manager must be revoked through Device Trust Manager. There is no single interface for revoking certificates issued from both systems.

Will OCSP and CRL behavior change for existing or newly issued certificates?

No. OCSP and CRL behavior remains the same across both platforms.

Next steps

DigiCert​​®​​ recommends that customers using the CIS API for IoT or device trust workflows begin planning their migration to Device Trust Manager now.

Suggested next steps:

  • Review your current CIS API integrations.

  • Decide on your Issuing CA strategy.

  • Prepare your Device Trust Manager account and configuration objects.

  • Update your automation and API integrations.

  • Test issuance and certificate lifecycle operations in parallel.

  • Plan your production cutover before April 30, 2027 .

For migration assistance, contact your DigiCert​​®​​ account representative.

In diesem Abschnitt: