The evolution of IoT Trust Manager

Since DigiCert® acquired Mocana in 2022, we have been investing in our IoT solutions to ensure we help connected product manufacturers build secure devices and ensure compliance with industry regulations. These include:

Mocana Embedded Trust Manager for IoT device management.
DigiCert® IoT Trust Manager for IoT certificate management.

When speaking with customers, it was clear they wanted a simplified, single pane of glass experience that encompassed functionality from both platforms. In response, we announced that we will be transitioning these existing solutions into a single, consolidated solution called DigiCert® Device Trust Manager, built on the robust DigiCert® ONE platform. This transition reflects the natural evolution for delivering a unified, modern foundation for device management, certificate lifecycle management, and Post-Quantum readiness for IoT.

Starting mid 2026, DigiCert will begin transitioning customers from IoT Trust Manager (IoT TM) to Device Trust Manager.

This topic explains what’s changing, why it matters, and what customers should expect.

What’s in it for our customers?

✅ 100% feature-parity for certificate issuance.

All certificate issuance capabilities in IoT Trust Manager are fully supported in Device Trust Manager, including:

Note

You will not lose any certificate issuance functionality as part of this transition.

Automatic synchronization of IoT Trust Manager objects

As part of this transition, the following objects will automatically synchronize to Device Trust Manager and will be available in Device Trust Manager under Certificate management:

Licenses
Certificate templates
Certificate profiles
Enrollment profiles
Issued certificates
Device profiles
Devices
Other objects

No manual re-creation of any of the above is required.

All IoT Trust Manager concepts remain the same, except for Enrollment profiles.

In IoT Trust Manager, Enrollment profiles manage both authentication and certificate issuance. In Device Trust Manager, these are separated into:

Authentication policy (handles authentication)
Certificate Management policy (controls certificate handling)

This separation allows the same credentials to be used across multiple certificate policies.

To simplify migration, a default authentication policy will be created automatically for you when migrating your Enrollment profiles.

A more capable platform

All new features, enhancements, and fixes will be delivered only in Device Trust Manager. This provides:

Faster feature delivery
Improved performance and scale
Simplified user experience
One platform for device and certificate management

Certificate settings are now managed through a simplified Certificate settings experience in the web portal.

See how we have been actively investing in Device Trust Manager by reviewing the Release notes.

Licensing:

To provide new, advanced device management features for customers while providing core certificate issuance to existing customers, Device Trust Manager offers two subscription plans:

Essentials: For customers who need device identity certificates, including CSA Matter DAC and C2PA claim signing certificates. This plan is suitable when a single certificate is required per device.
Advanced: Supports multiple certificates per device and full lifecycle management. This plan is designed for devices that require ongoing updates and multiple credentials.

For more information, see Licensing and plans.

What is the process?

Web portal:

Your user accounts will receive access to Device Trust Manager. You can open Device Trust Manager in the web portal using the app switcher icon (grid icon) and selecting Device Trust.
Most IoT Trust Manager functionality now appears under Certificate management in Device Trust Manager
You will be able to view all your IoT Trust Manager configuration objects in the Certificate management section of the Device Trust Manager
All IoT Trust Manager configuration objects and issued certificates are synchronized every hour.
You can create new configurations and issue certificates directly in Device Trust Manager using the web portal or APIs.
Any configuration done in Device Trust Manager or certificates issued from in Device Trust Manager, will not be synchronized back to IoT Trust Manager
IoT Trust Manager's Device profiles and Device records will become Device groups and Devices in Device Trust Manager
Later in 2026, customers will be cut over in batches. You will receive 30 days’ notice by email and a portal banner. After the cutover:
- IoT Trust Manager web portal becomes read-only
- All configurations and certificate issuance moves to Device Trust Manager

APIs:

IoT Trust Manager APIs: For users of IoT Trust Manager APIs, there will be some impacts depending on which APIs you use:

Certificate Issuance APIs: To ensure there is no impact to deployed devices and factory systems, the following IoT Trust Manager certificate issuance APIs will continue to function as-is and will redirect to your account in Device Trust Manager until the end of 2027. After that, they’ll be retired. This transition period is designed to give customers enough time to update their devices and factory workflows to the Device Trust ManagerAPIs:

REST (POST https://{server}/iot/api/v1/certificate)
EST
SCEP
ACME
CMPv2

However, IoT Trust Manager issuance APIs will no longer receive new features or bug fixes. All future development is focused on the Device Trust ManagerAPIs. Most Device Trust Manager APIs closely match their IoT Trust Manager counterparts, making migration straightforward. Customers are strongly encouraged to migrate their certificate issuance workflows well before the end of 2027.

Management APIs:

IoT Trust Manager management APIs let you programmatically create configuration objects like Certificate profiles, Enrollment profiles, and other related settings.

The new Device Trust Manager management APIs replace and expand these capabilities. Key improvements include:

Clear separation of certificate and device concepts:
- Before: Payloads required a device_profile.
- Now: Device and certificate settings are decoupled, with a stronger focus on authentication and enrollment policies (for example, authentication_policy).
A richer enrollment and certificate management model:
- Before: Only enrollment_methods were supported
- Now: A dedicated certificate_management_methods section makes lifecycle workflows clearer, more flexible, and supports multiple options.
New policy‑driven security controls: Structured policy blocks, such as authentication_policy and est_request_parameters, provide more explicit, policy‑based configuration instead of a flat set of flags.

Examples of impacted IoT Trust Manager management APIs include:

Table 1. Management APIs - IoT Trust Manager vs Device Trust Manager

IoT Trust Manager	Device Trust Manager	Notes
`{server}/iot/api/v1/certificate-profile`	`/devicetrustmanager/certificate-configuration-service/api/v1/certificate-profile`	Direct functional replacement
`{server}/iot/api/v1/enrollment-profile`	`/devicetrustmanager/certificate-configuration-service/api/v2/certificate-policy/devicetrustmanager/authentication-service/api/v1/authentication-policy`	Enrollment profile is now split into two objects: Certificate management policy and Authentication policy
`Etc.`		Additional management APIs follow similar mappings

Note

After the cutover date, IoT Trust Manager management REST APIs will no longer be available. However, IoT Trust Manager certificate issuance APIs will continue to operate during the transition period.
If you use management APIs to create configuration objects, you’ll need to migrate to Device Trust Managermanagement APIs before the cutover.
In summary, any REST API that isn’t used for certificate issuance is considered a management API—and it will be impacted.

Timeline

Now:

Assess whether you’re using any IoT Trust Manager management APIs. If you are, begin planning your migration to Device Trust Manager management APIs.

Migration begins (Mid‑2026):

Customer cutovers will start in mid‑2026 and continue in batches throughout the year.

Before cutover:

You’ll receive a notification 30 days before your cutover:

Email sent to DigiCert ONE account users
Banner displayed in the IoT Trust Manager dashboard

After cutover:

IoT Trust Manager portal: Moves to read‑only
IoT Trust Manager management REST APIs: Disabled
IoT Trust Manager certificate issuance APIs (EST, SCEP, ACME, CMPv2, and REST): Continue to work as‑is and will be redirected to Device Trust Manager until the end of 2027

Frequently asked questions (FAQs)

After cutover, can I switch back to IoT Trust Manager?

What if I can’t migrate to the Device Trust Manager management APIs before the cutover?

This situation should be rare, but we’ll work with you to understand any blockers and help where possible. Contact your DigiCert account representative.

Do I need to manually migrate my certificates or profiles?

No. Licenses, certificate templates, certificate profiles, enrollment profiles, and issued certificates automatically synchronize to Device Trust Manager.

How will IoT Trust Manager licenses map to Device Trust Manager?

Licensing will align with how you use device records today:

If you track and manage devices, you’ll move to the Advanced (device-based) model.
If you primarily issue certificates without device tracking, you’ll use the Essentials (certificate-only) model.

To support this, IoT Trust Manager will introduce a setting to disable device record creation. This removes the need to configure Device profiles or map certificate fields to device names, and improves performance by eliminating unnecessary device data.

This “do not use device records” setting can be applied:

At the account level (all enrollment profiles stop creating device records
Per enrollment profile (allowing mixed use cases)

If device records aren’t disabled before migration, device usage will migrate into Device Trust Manager as Devices in a Device Group, consuming Advanced licenses.

If device records are disabled, Enrollment profiles migrate to Certificate management policies, and certificate issuance consumes Essentials licenses with no device record created.

Will my devices stop enrolling for certificates?

No. Existing IoT Trust Manager certificate issuance protocols (EST, SCEP, ACME, CMPv2, REST) will continue working as‑is and will redirect to Device Trust Manager until the end of 2027.

Do I need to change my APIs immediately?

If you use management APIs, you must update your systems before your cutover date
Certificate issuance APIs will continue functioning and redirect to Device Trust Manager until the end of 2027. However, we recommend migrating early to benefit from better performance, scalability, and ongoing enhancements

Is there any loss of functionality?

No. Device Trust Manager offers full feature parity for certificate issuance, along with additional platform capabilities, simpler workflows, and improved performance.

If I create configuration items in Device Trust Manager, will they sync back to IoT Trust Manager?

No. Synchronization is one‑way, from IoT Trust Manager to Device Trust Manager.

Next steps

We recommend customers:

Review the Device Trust Manager REST APIs
Get familiar with Device Trust Manager documentation to understand the new configuration and policy models
Plan your migration to the Device Trust Manager management APIs ahead of your cutover date
Plan your migration to the Device Trust Manager certificate issuance APIs within the 24‑month support window.

We’ll share more details as we approach the migration start in mid‑2026.

In this section: