Certificate management policy
Certificate management policies define how device identities are authenticated and how communication is secured throughout the device lifecycle. They specify protocols, keypair generation methods, and the use of certificate profiles and issuing CAs. These policies also control certificate renewal and revocation.
By applying these policies, devices can securely authenticate and communicate with DigiCert® Device Trust Manager and other systems.
Certificate management methods
Certificate management policies define the methods and protocols that are allowed when issuing and managing certificates.
Method | Description |
|---|---|
Single certificate request through portal and API | Enables requesting or renewing certificates one at a time through the portal or API. |
Batch certificate request through portal and API | Enables requesting multiple certificates in a single action, streamlining certificate management. |
TrustEdge agent | Enables automated certificate provisioning and management. |
EST (Enrollment over Secure Transport) | Enables secure certificate enrollment using EST. |
CMPv2 | Enables issuing, renewing, or revoking certificates using CMPv2. |
SCEP (Simple Certificate Enrollment Protocol) | Enables automated certificate enrollment at scale using SCEP. |
Keypair generation settings
Certificate management policies define how keypairs are generated during the certificate request process. Keypairs can either be generated locally by the requestor or on the server side by DigiCert®.
Key generation setting | Description |
|---|---|
Local keypair generation | Requestor generates the keypair locally and includes the public key in their Certificate Signing Request (CSR). |
Server-side keypair generation | DigiCert® generates the keypair on behalf of the requestor when a certificate is requested. |
Customizable keypair generation | Administrators can allow requestors to choose local or server-side keypair generation when making a request. |
Default key type and size | Administrators can set a default key type and size (e.g., RSA 4096) for server-side keypair generation. |
Key type and size selection | Requestor can be allowed to select the key type and size themselves during the certificate request process. |
Usage restrictions
Usage restrictions in a certificate management policy provide controls to limit when and from where certificates can be requested. These restrictions allow administrators to define specific operational parameters, ensuring tighter control over certificate issuance.
Device group association
Certificate management policies are applied to device groups. This allows Device Trust Manager to manage certificate issuance and renewal for large fleets of devices. A device group must have at least one certificate management policy to issue bootstrap certificates during device onboarding. Once a device is provisioned and assigned to a group, it will receive certificates according to the policy attached to that group.
Certificate profile and Issuing CA
Each certificate issued under a certificate management policy is linked to a certificate profile. The certificate profile defines certain aspects of the certificate, such as the subject distinguished name (DN), validity period, and any additional certificate extensions required by the issuing organization.
The Issuing CA (Certificate Authority) is responsible for signing the certificates. This authority ensures that the certificates are trusted and verifiable, typically using an intermediate CA with signing privileges. The issuing CA is specified in the certificate management policy, ensuring all certificates follow the organization's established trust hierarchy.