Skip to main content

Certificate management policy

Certificate management policies define how device identities are authenticated and how communication is secured throughout the device lifecycle. They specify protocols, keypair generation methods, and the use of certificate profiles and issuing CAs. These policies also control certificate renewal and revocation.

By applying these policies, devices can securely authenticate and communicate with DigiCert® Device Trust Manager and other systems.

Certificate management methods

Certificate management policies define the methods and protocols that are allowed when issuing and managing certificates.

Table 1. Certificate management policy methods

Method

Description

Single certificate request through portal and API

Enables requesting or renewing certificates one at a time through the portal or API.

Batch certificate request through portal and API

Enables requesting multiple certificates in a single action, streamlining certificate management.

TrustEdge agent

Enables automated certificate provisioning and management.

EST (Enrollment over Secure Transport)

Enables secure certificate enrollment using EST.

CMPv2

Enables issuing, renewing, or revoking certificates using CMPv2.

SCEP (Simple Certificate Enrollment Protocol)

Enables automated certificate enrollment at scale using SCEP.


Keypair generation settings

Certificate management policies define how keypairs are generated during the certificate request process. Keypairs can either be generated locally by the requestor or on the server side by DigiCert​​®​​.

Table 2. Certificate management policy keypair generation settings

Key generation setting

Description

Local keypair generation

Requestor generates the keypair locally and includes the public key in their Certificate Signing Request (CSR).

Server-side keypair generation

DigiCert​​®​​ generates the keypair on behalf of the requestor when a certificate is requested.

Customizable keypair generation

Administrators can allow requestors to choose local or server-side keypair generation when making a request.

Default key type and size

Administrators can set a default key type and size (e.g., RSA 4096) for server-side keypair generation.

Key type and size selection

Requestor can be allowed to select the key type and size themselves during the certificate request process.


Usage restrictions

Usage restrictions in a certificate management policy provide controls to limit when and from where certificates can be requested. These restrictions allow administrators to define specific operational parameters, ensuring tighter control over certificate issuance.

Device group association

Certificate management policies are applied to device groups. This allows Device Trust Manager to manage certificate issuance and renewal for large fleets of devices. A device group must have at least one certificate management policy to issue bootstrap certificates during device onboarding. Once a device is provisioned and assigned to a group, it will receive certificates according to the policy attached to that group.

Certificate profile and Issuing CA

Each certificate issued under a certificate management policy is linked to a certificate profile. The certificate profile defines certain aspects of the certificate, such as the subject distinguished name (DN), validity period, and any additional certificate extensions required by the issuing organization.

The Issuing CA (Certificate Authority) is responsible for signing the certificates. This authority ensures that the certificates are trusted and verifiable, typically using an intermediate CA with signing privileges. The issuing CA is specified in the certificate management policy, ensuring all certificates follow the organization's established trust hierarchy.