Skip to main content

Request a certificate for unmanaged devices

To perform this action, you must have a user role that contains the Device administrator permission.

Use this workflow to request a certificate that isn't associated with a device record in Device Trust Manager.

Unlike certificate requests for managed devices, Unmanaged device certificates are issued without creating or referencing a device. This option is designed for organizations that need certificate-based device identities but don't require device inventory, lifecycle management, or device tracking.

This is designed for organizations that only need device identity certificates, such as:

  • CSA Matter Device Attestation Certificates (DACs)

  • C2PA claim signing certificates

  • Manufacturing and provisioning workflows

  • Device identity certificates that don't require ongoing device management

When you request an Unmanaged device certificate, Device Trust Manager issues only the certificate. No device record is created.

Nota

Requesting a certificate for unmanaged devices consume an Essentials license.

Before you begin

  • Make sure your account has the Device administrator permission.

  • Also verify that your Solution Administrator has already completed the following setup tasks:

  1. In the Device Trust Manager menu, go to Certificate management > Certificates.

  2. Select Certificate actions > Request certificate.

  3. From the Certificate request page, select Request certificate for > Unmanaged device.

  4. From the Certificate management policy list, select the policy associated with the device group.

  5. On the Key generation type step, choose one of the available options:

    1. I have the keypair and will provide the CSR or public key in the request:

      • Choose this option if you already have a key pair. You must upload a CSV file or a ZIP file containing the device data.

      • If needed, download the provided template to ensure the file is formatted correctly.

    2. Key pairs will be generated on the server side by this application, and the private key and certificate will be included in response:

      Choose this option if you want Device Trust Manager to generate the key pair for you.

    Sugerencia

    Key generation type behavior

    The Key generation type option is dynamically displayed based on the selected Device group and the associated Certificate management policy. Only the key generation methods that are supported by the chosen combination are presented to you.

  6. Provide a Common name for the certificate.

  7. Optionally, provide an Organization name.

  8. Optionally, select Add Value to add one or more Organizational Unit values.

  9. Optionally, enter a Description.

  10. Select Submit certificate request.

What happens next

After the certificate request is successfully processed:

  • The certificate is issued

  • No device record is created or associated with the certificate

  • You can download the certificate from Device Trust Manager

  • If server-side key generation was selected (Key pairs will be generated on the server side by this application, and the private key and certificate will be included in response),the response also includes the generated private key.

Example scenario

A device manufacturer needs to issue CSA Matter Device Attestation Certificates (DACs) during production. Because the certificates are used only to establish device identity and don't require lifecycle management, certificate requests for unmanaged devices provide a simple way to issue certificates without creating device records.