Skip to main content

Part 2: Configure Device Trust Manager

To perform this action, you must have a user role that contains the Solution administrator permission.

Now that the initial access is set up, the next step is to configure DigiCert® Device Trust Manager for secure device management. This section helps you create divisions, define authentication policies, and set up certificate profiles.

Objectives

  • Set up authentication policies to manage device access.

  • Add certificate templates, configure certificate profiles, and create certificate management policies for certificate issuance.

Before you begin

To start initial configuration of Device Trust Manager, complete the following steps:

Step 1: Create a division

  1. In the Device Trust Manager menu, go to Divisions.

  2. Select Create division.

  3. Enter a Name for the division and, optionally, a description.

  4. Select a Primary zone from the dropdown under the Rendezvous zones section.

  5. (Optional) Select a Secondary zone from the dropdown under the Rendezvous zones section as a backup.

  6. Click Create new division.

Step 2: Create an authentication policy

Authentication policies support multiple credentials, including passcodes, authentication certificates, and authentication CAs.

Tip

A single authentication policy can be assigned to multiple device groups and certificate management policies.

  1. In the Device Trust Manager menu, go to Authentication management > Authentication policies.

  2. Click Create authentication policy.

  3. Select Create new authentication policy to save.

Step 3: Add a passcode to your authentication policy

Passcodes are one of the methods that can be used for device authentication and certificate requests using protocols such as SCEP, EST, and CMPv2.

  1. In the Device Trust Manager menu, go to Authentication management > Passcodes.

  2. Select Create passcode.

  3. Enter a Name and, optionally, a description.

  4. Under Assign or create an authentication policy, choose the policy created in Step 2: Create an authentication policy.

  5. If necessary, configure additional passcode settings for authentication, usage restrictions, and so on.

  6. Select Create passcode to save.

    Alternatively, you can also select your authentication policy from the Authentication policies list and add a passcode.

Important

When using a passcode for API authentication, make sure to set the header to x-passcode instead of x-api-key.

Step 4: Create a certificate management policy

Creating a certificate management policy involves adding a Certificate template, creating a Certificate profile, and proceeding to create a Certificate management policy through the Certificat settings wizard.

Note

As part of this topic, we will be creating a bootstrap as well as an operational certificate policy. It is recommended to perform the same settings that have been provided in the following steps.

Create a certificate management policy for bootstrap certificates

  1. In the Device Trust Manager menu, go to Certificate management > Certificate settings > Certificate templates.

  2. Select Create.

  3. Select the existing Basic TLS Certificate Template.

    Tip

    As you’re setting up the Device Trust Manager for the first time, this topic helps you get started quickly. To keep things simple, we recommend choosing the Basic TLS Certificate Template , which has been created and customized for you.

    Notice

    Certificate templates are created and customized for your organization by DigiCert​​®​​. If no certificate templates appear on the Certificate templates page, or if you require modifications or a new template, contact you DigiCert​​®​​ account representative.

  4. When done, proceed to select Create certificate profile to create a certificate profile.

  5. Under Configure certificate profile section, enter a Name for the certificate profile.

  6. Select if All divisions can use this certificate profile or only Specific divisions.

  7. Under the Certificate management model, select Policy will be used for secure device lifecycle management. Requires an Advanced license.

  8. Under the Certificate management methods,, select Single certificate request through portal and REST API and register a single device.

    Tip

    As you’re setting up the Device Trust Manager for the first time, this topic helps you get started quickly. To keep things simple, we recommend choosing the above two parameters.

  9. When done, select Next.

  10. Verify the summary of the certificate management policy settings you selected.

  11. Select an Issuing CA.

  12. Under the Keypair generation settings, select Server-side keypair generation.

    DigiCert​​®​​ generates keypair for certificate issuance. When selecting this option, specify the default key type and size, such as RSA 2048 or P-256.

  13. When done, select Next.

  14. Select Create certificate management policy to create a bootstrap certificate management policy.

Create a certificate management policy for operational certificates

  1. In the Device Trust Manager menu, go to Certificate management > Certificate settings > Certificate templates.

  2. Select Create.

  3. Select the existing Basic TLS Certificate Template.

  4. Select the existing Certificte profile and proceed to the Certificate management policy creation section to create an operational certificate management policy.

  5. On the General settings section, enter a Name for the operational certificate policy.

  6. Select a Division.

  7. Under the Certificate management model, select Policy will be used for secure device lifecycle management. Requires an Advanced license.

  8. Under Certificate management methods, select DigiCert TrustEdge agent.

  9. When done, select Next.

  10. Verify the summary of the certificate management policy settings you selected.

  11. Select an Issuing CA.

  12. Under the Keypair generation settings, select Local keypair generation.

    Tip

    The requestor generates the keypair locally and includes the public key in their Certificate Signing Request (CSR). This is recommended for TrustEdge management-based operational certificates.

  13. When done, select Next.

  14. Under the Certificate management method settings page, expand the Manage certificates using the DigiCert TrustEdge Agent section:

    1. Select the required Certificate request format from the dropdown menu.

    2. Under Define how the agent will generate certificate values, expand the Add optional certificate attribute fields > select any of the certificate attribute fields. For example, Common name.

    3. Select Use an expresssion evaluated by the TrustEdge agent to provide a certificate value and provide the required value.

      For example, for MAC Address, provide this value ##mac_address##

  15. Under Private key generation, select Client-side software.

  16. When done, select Create certificate management policy to create an operational certificate management policy.

Review your progress

At this stage, Device Trust Manager is configured with divisions, authentication policies, and certificate management policies (bootstrap and operational certificates). You should now have:

  • A division created to organize devices and other entities

  • Authentication policies and passcodes are set up for secure access

  • Certificate profiles and management policies are defined for controlled certificate issuance

What’s next?

Continue to Part 3: Set up device management to configure your device management structure.

In this section: