Certificates

Device Trust Manager issues x.509 certificates to devices to establish secure communication and authenticate with the platform. During provisioning, a device receives a bootstrap certificate, which verifies the device's identity and initiates secure communication with Device Trust Manager. As the device continues to operate, it may request operational certificates for short-term, specific operations as needed throughout its lifecycle.

Table 1. Issued certificate use cases

Use case
Bootstrap certificate	A bootstrap certificate is a long-lived x.509 certificate. Bootstrap certificates typically have a validity period covering the device's lifespan—for example, ten years. These "birth" certificates enable devices to securely communicate with Device Trust Manager. Bootstrap certificates are also used to request operational certificates and during device onboarding. Important Make sure to store the private key in a TPM, Secure Element, or Trusted Execution Environment to protect against unauthorized access and tampering.
Operational certificate	An operational certificate is a short-lived x.509 certificate. Devices request operational certificates using their bootstrap certificate. Operational certificates may be used for cloud services or other external systems, have shorter validity periods, and can be revoked or reissued as needed. Notice Operational certificates are like temporary access badges for secure areas. They grant short-term permissions for a device to communicate with cloud services or external systems.

Use case

Bootstrap certificate

A bootstrap certificate is a long-lived x.509 certificate. Bootstrap certificates typically have a validity period covering the device's lifespan—for example, ten years. These "birth" certificates enable devices to securely communicate with Device Trust Manager. Bootstrap certificates are also used to request operational certificates and during device onboarding.

Important

Make sure to store the private key in a TPM, Secure Element, or Trusted Execution Environment to protect against unauthorized access and tampering.

Operational certificate

Certificate issuance and renewal

Device Trust Manager uses a range of protocols for certificate issuance and renewal, supporting both single and batch requests, as well as automatic renewals.

EST
SCEP
CMPv2
ACME
TrustEdge agent

Request a single device certificate

To perform this action, you must have a user role that contains the Device administrator permission.

Issuing a single device certificate request will be associated with a device record.

Before you begin:

Ensure that your Solution Administrator has already completed the following:

A device group is already created.
A certificate management policy has been created.
A CSV file containing device-specific details such as device name, description, and subject common name is present.

In the Device Trust Manager menu, go to Certificate management > Certificates.
Select Request certificate > Request a certificate for a device.
From the Device Group dropdown menu, select an appropriate device group.
From the Certificate management policy dropdown menu, select the certificate management policy associated with the device group.
On the Key generation type step:
Note
The Key generation type option is displayed based on your selection of the Device group and the Certificate management policy.
1. I have the keypairs and will provide the CSRs or public keys in the request:
  - Upload a CSV file or a zipped CSV containing the device data. You can download the provided template for formatting guidance.
2. Key pairs will be generated server side by this application, and the private key and certificate will be included in response:
  - Select the Key generation type dropdown menu.
Provide a Common name for the certificate.
Optionally, provide an Organization name.
Click Add Value to provide an organization unit value (optional).
Provide a Description (optional).
Click Submit certificate request.
Download the certificate after successful submission of the certificate request.

Request a single certificate

To perform this action, you must have a user role that contains the Device administrator permission.

Issuing a single certificate request will not be associated with a device record.

Before you begin:

A device group is already created.
A certificate management policy has been created.
A CSV file containing device-specific details such as device name, description, and subject common name.

In the Device Trust Manager menu, go to Certificate management > Certificates.
Select Request certificate > Request a certificate.
From the Certificate management policy dropdown menu, select an appropriate policy.
On the Key generation type step:
Note
The Key generation type option is displayed based on your selection of the Certificate management policy.
1. I have the keypairs and will provide the CSRs or public keys in the request:
  - Upload a CSV file or a zipped CSV containing the device data. You can download the provided template for formatting guidance.
2. Key pairs will be generated server side by this application, and the private key and certificate will be included in response:
  - Select the Key generation type dropdown menu.
Provide a Common name for the certificate.
Optionally, provide an Organization name.
Click Add Value to provide an organization unit value (optional).
Provide a Description (optional).
Click Submit certificate request.
Download the certificate after successful submission of the certificate request.

In this section: