Part 6: Create a cloud platform policy

Objectives

Onboard your device with Azure Event Grid MQTT Broker.
Securely connect your device with certificate-based MQTT client authentication.
Automatically provision your device through the DigiCert® Device Trust Manager's cloud platform policy feature.

Before you begin

You must have an active Microsoft Azure subscription with permissions to create and manage Event Grid namespaces and resources.

Microsoft Azure Event Grid MQTT Broker:

Create an MQTT Broker namespace:
For creating an MQTT Broker namespace, see Create, view, and manage namespaces on the Azure Event Grid documentation page.
Enable certificate-based MQTT authentication:
For configuring Microsoft Azure to authenticate MQTT clients using X.509 certificates, see the MQTT client authentication using certificates on the Azure Event Grid documentation page.
Establish TLS Trust with Azure Event Grid:
To ensure a secure TLS connection between the device and the Azure Event Grid, the device must trust the Event Grid endpoint’s server certificate.
- Retrieve the TLS certificate chain from the Event Grid endpoint using the following command:
```
openssl s_client -connect <eventgrid-endpoint>:443 -showcerts
```
- Install the root and intermediate CA certificates on the device at the following location:
```
/etc/digicert/keystore/ca
```
Configure and keep the following details from your Azure account:
- Tenant ID
  To get a Tenant ID, you must register your application in Microsoft Entra ID. See Register an application in Microsoft Entra ID.
- Client secret (this is used if the authentication includes identity-based integration)
  To create a client secret for your registered application, see Create a new client secret.
- Resource Group
  You must assign the required Azure roles to your registered application. To assign the required permissions and roles, see Assign Azure roles using the Azure portal.
Collect and keep the following configuration details from your Azure account:
- Azure subscription ID
- Event Grid namespace
- Client ID

Device Trust Manager

Create a division.
Create a certificate management policy for bootstrap certificates for initial identity provisioning.
Create a certificate management policy for operational certificates for runtime authentication.
Create a device group and assign certificate management policies.
- A Bootstrap certificate management policy is required for initial identity provisioning.
- An Operational certificate management policy is required for runtime authentication.

Step 1: Create a cloud platform policy

To create a cloud platform policy:

Sign in to DigiCert® ONE as a Solution Administrator.
In DigiCert ONE, in the Manager menu (grid at top right), select Device Trust.
In the Device Trust Manager menu, select Cloud platform policies.
Click Create cloud platform policy.
Specify a Cloud platform Policy name.
Select an Issuing CA from the dropdown list.
Download the Issuing CA certificate.
Register the Issuing CA certificate with Azure Event Grid Services.
To register, follow the instructions mentioned in MQTT client authentication using certificates.
Select the Set up certificate issuance checkbox.
Click Next to add an MQTT broker.

Step 2: Add a Microsoft Azure Event Grid MQTT Broker

Next, add a Microsoft Azure Event Grid MQTT broker:

Navigate to the Add MQTT broker tab.
Click Add MQTT broker.
Follow the on-screen instructions and provide the required configuration details from your Azure account for use in Device Trust Manager.
Click Platform Onboarding Test once you provide all the required configuration details from your Azure account to verify if the configuration parameters provided by you are correct to add a cloud platform policy.
Click Add broker to add an MQTT broker.

Step 3: Configure the cloud platform policy

To configure a cloud platform policy:

Navigate to the Configure cloud platform policy tab.
Optional (assign the cloud platform policy to a division).
Click Add assignment to select the certificate management policy that will issue X.509 certificates for device authentication with the MQTT broker.
From the Device Group dropdown menu, select a device group.
- The devices you select in this group will have their device identity created in the MQTT broker, and will be assigned an MQTT endpoint to connect.
- Based on the device group you select, the operational management policy certificate associated with it is automatically displayed in the Operational Certificate Management Policy dropdown menu.
Click Create cloud platform policy.
Upon successful creation of the cloud platform policy, the policy appears under the Completed policies list.

In this section: