Skip to main content

Just-in-time registration and provisioning

To perform this action, you must have a user role that contains the Solution administrator permission.

Just-in-time (JIT) registration in DigiCert​​®​​ Device Trust Manager allows devices to securely register and provision themselves at runtime. Instead of embedding unique credentials during manufacturing, devices use a shared claim credential to authenticate in the field. Once authenticated, each device receives its own unique birth and operational certificates.

Why JIT

For many OEMs and manufacturers, embedding unique credentials for every device during production isn’t practical. This limitation makes it difficult to scale secure device onboarding.

JIT registration and provisioning addresses this challenge. Devices can authenticate with a shared passcode or certificate, and then automatically receive unique credentials when they connect to the internet.

Benefits of JIT

  • Reduced manufacturing complexity: Avoids the need to embed unique per-device credentials at production time.

  • Improved security: Issues unique device certificates (birth and operational). Supports using keys stored in secure elements on the device.

  • Faster time-to-market: Simplifies OEM workflows while meeting secure onboarding requirements.

JIT registration workflow

  1. Boot: Device boots with a shared credential:

    • The device starts with a common claim credential (such as a passcode or a shared certificate).

    • This credential is the same across a batch or product line.

  2. Connect: Device connects to the onboarding service:

    • The device establishes a secure connection to Device Trust Manager.

    • The shared credential is used to request registration.

  3. Validate: Service validates the claim:

    • Device Trust Manager authenticates the shared credential.

    • If valid, the device is authorized to register.

  4. Issue credentials: Unique credentials are issued:

    • The device receives a unique birth certificate.

    • Operational certificates are provisioned for runtime use.

    • Keys can be bound to secure elements if available.

  5. Onboard: Device is onboarded:

    • From this point on, the device no longer uses the shared credential.

    • All future operations rely on the unique device certificates.

Enable JIT registration and provisioning for your devices

Perform the following steps to enable just-in-time registration and provisioning for your devices:

  1. Create an authentication policy. See Create an authentication policy.

  2. Add an authentication certificate to your authentication policy.

    This authentication credential is a claim credential that will be preloaded on the device during manufacturing. It can be a passcode or a certificate.

    For the purpose of this tutorial, we’ll use a certificate-based authentication method for device registration and provisioning.

    1. In the Device Trust Managermenu, go to Authentication management > Authentication policies.

    2. Provide a name for your authentication certificate.

    3. Select the Authentication policy that you have created.

    4. Under How will you authenticate devices for this certificate?, upload your certificate for device authentication.

    5. Select Add authentication certificate.

  3. Create a division. See Create a division.

  4. Create a certificate profile. See Create a certificate profile.

    Also, define the certificate parameters that will be issued to devices. For example, key type, validity, extensions. Enable at least one subject attribute from the available list.

  5. Create a certificate management policy:

    Certificate management policy defines how certificates, including bootstrap certificates and operational certificates, are issued, renewed, and revoked for devices. Devices must use a bootstrap certificate to authenticate with the Rendezvous service. The bootstrap certificate allows the devices to request short-lived X.509 operational certificates.

    As part of this tutorial, we will be creating a bootstrap as well as an operational certificate policy.

    It is recommended to perform the same settings that have been provided in the following steps.

    Create a certificate management policy for bootstrap certificates:

    1. In the Device Trust Manager menu, go to Certificate management > Certificate management policies.

    2. Select Create certificate management policy to open the General settings of the certificate management policy wizard.

    3. Provide a Name for the certificate management policy.

      For example, cert-management-policy-bootstrap

    4. Choose a Division to assign the policy to.

    5. Select the required Certificate management model.

    6. From the Certificate management methods, choose EST (Enrollment over Secure Transport).

      Optionally, you can also select the Single certificate request through portal and REST API and register a single device

    7. Optionally, select the Authentication policy you just created.

    8. Select Next to proceed to the Certificate settings page.

    9. Select an End entity certificate profile (defines the certificate structure, including subject fields, extensions, and validity period) or an intermediate certificate profile (signs the certificates issued under this policy).

    10. Select an Issuing CA from the available options.

      This is the Certificate Authority that will sign the certificates issued under this policy.

    11. Set the Keypair generation preferences.You can set whether you want the private key to be generated on the device or on the server-side and passed on to the device in the response to the EST certificate request.

    12. Select Next to proceed to Usage Restrictions to define them.

      • Allowed IP addresses: Toggle to add and enter each IP address, IP address range, or wildcard IP addresses. Specify the IP addresses or ranges that are permitted to request certificates. This can include single IPs, ranges, or wildcard IPs.

      • Operational hours: Toggle to set the operational hours by choosing a Time zone and defining the Hours during which certificate requests are allowed.

      • Operational dates: Toggle to set a start date (Valid from) and an end date (Valid to) for when the certificate management policy can be used.

    13. Select Finish to complete the certificate management policy.

      The bootstrap policy you created is listed under Certificate management policies.

      Create a certificate management policy for operational certificates:

    14. In the Device Trust Manager menu, go to Certificate management > Certificate management policies.

    15. Select Create certificate management policy to open the General settings of the certificate management policy wizard.

    16. Provide a Name for the certificate management policy.

      For example, cert-management-policy-operational.

    17. Choose a Division to assign the policy to.

    18. Select the required Certificate management model.

    19. From the Certificate management methods, choose DigiCert TrustEdge agent.

    20. Optionally, select the Authentication policy you just created.

    21. Select Next to proceed to the Certificate settings page.

    22. Select an End entity certificate profile (defines the certificate structure, including subject fields, extensions, and validity period) or an intermediate certificate profile (signs the certificates issued under this policy).

    23. Select an Issuing CA from the available options. This is the Certificate Authority that will sign the certificates issued under this policy.

    24. Set the Keypair generation preferences.You can set whether you want the private key to be generated on the device or on the server-side and passed on to the device in the response to the EST certificate request.

    25. Select Next to proceed to Certificate management method settings page.

    26. Select CSR-PKCS10 for the Certificate request format.

    27. Under Define how the agent will generate certificate values, select Use an expression evaluated by the TrustEdge agent to provide a certificte value and provide the required value.

      For example, for MAC Address, provide this value ##mac_address##

    28. Under Private key generation, select Client-side software.

    29. Select Create.

      The operational policy you created is listed under Certificate management policies.

  6. Create a device group and assign the bootsrap certificate management policy that you have already created. See Create a device group and assign a certificate management policy.

  7. Also assign the operational certificate management policy that you have alredy created.

Step 1: Obtain the EST enroll endpoint

Perform the following steps to obtain the EST enroll endpoint to use it with an EST client:

  1. In the Device Trust Manager menu, go to Device management > Device groups.

  2. Select the device group you have already created.

  3. Go to the Policy assignments tab.

  4. Select the bootstrap policy you have created.

  5. Click View details under General information > EST.

  6. Copy and note down the Enroll endpoint URL.

    Your EST Enrol Url should resembles the below example:

    https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_cc90aefb-6a52-4d48-b1f6-ed155a790843/device-group/c8f4e799-f41d-45ca-9166-399a59ae2637/simpleenroll

Nota

Note that if you are using a Device Group with the Certificate Management Policy, then the Device Group ID is added to the end of the URL.

Step: 2: Install TrustEdge on your device

TrustEdge includes the EST client that will be used for registering and requesting bootstrap certificates.

For a detailed procedure on installing TrustEdge, see Install TrustEdge on Linux.

Step 3: Start the EST enrollment process from your device

Perform the following steps to start the EST enrollment process:

  1. Copy the authentication certificate/claim credential to the /etc/digicert/keystore/certs directory.

    The is the authentication certificate you uploaded when creating your authentication policy.

  2. Copy the authentication key to /etc/digicert/keystore/keys directory.

    Nota

    Use an alias for both the authentication certificate and the key. Both files must have the same name even though their contents differ; one contains the certificate, and the other contains the private key.

  3. Run the following command to a create a certificate signing request (CSR) configuration file in the /etc/digicert/keystore/conf directory.

    For example, sample_est_csr.conf.

    nano /etc/digicert/keystore/conf/sample_est_csr.conf

  4. Insert the following CSR configuration content.

    # Subject
countryName=US
commonName=test-iot-device-001-docs
stateOrProvinceName=CA
localityName=MV
organizationName=DigiCert
organizationalUnitName=Engineering
# Requested Extensions
isCA=false
# certPathLen=-1
keyUsage=digitalSignature keyEncipherment
##subjectAltNames=numSANs; value1, type1; valueN, typeN
##subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2

  5. Press Ctrl+OEnter to save the CSR configuration content.

  6. Press Ctrl+X to exit.

Step 4: Download the TLS Root CA certificate

Before you can request a certificate using EST, you first need to download a copy of the Certificate Authority (CA) certificate for the EST endpoint. Without this certificate, the TrustEdge EST client will not trust this endpoint.

The following examples use demo.one.digicert.com. However your hostname may be different. See Platform IP addresses and URLs for a list of platform hostnames by region.

  1. Run the following command to download the TLS Root CA certificate:

    wget https://cacerts.digicert.com/DigiCertGlobalRootCA.crt --directory-prefix=/etc/digicert/keystore/ca/

    For example, when connecting to the US region (one.digicert.com), download DigiCertGlobalRootCA.crt.

  2. Run the following command to verify that the file has been downloaded successfully:

    ls /etc/digicert/keystore/ca/

(Optional) Download the EST CA certificates

Download the EST CA certificates to validate the issued certificates.

Step 5: Export the URI

Run the following command to export the URI:

export EST_HOST="clientauth.demo.one.digicert.com"
trustedge certificate est -host ${EST_HOST} -url /.well-known/est/devicetrustmanager/${CMPPOLICYID}/device-group/${DEVICE_GROUP_ID}/cacerts

Replace the {CMPPOLICYID} with the certificate management policy you have obtained.

Replace the {device-group-id} with the actual device group ID you have obtained.

Step 6: Start the EST enrollment

  1. Run the following command to start the EST enrollment process and register the device:

    sudo trustedge certificate est -host ${EST_HOST} -url /.well-known/est/devicetrustmanager/IOT_cc90aefb-6a52-4d48-b1f6-ed155a790843/device-group/c8f4e799-f41d-45ca-9166-399a59ae2637/simpleenroll -mtls AUTHCERT -a RSA -s 2048 -i sample_est_csr.conf --log-level VERBOSE --key-alias "EccTestKey"

    Replace the {device-group-id} with the actual device group ID you have obtained.

    Replace the {CMPPOLICYID} with the certificate management policy you have obtained.

    Replace the AUTHCERT with the authentication certificate that you have copied to etc/digicert/keystore/certs directory.

    Replace the sample_est_csr.conf with the CSR configuration file.

    Where key-alias "EccTestKey" is a sample name fo the keys.

  2. Verify the following files have been created in their respective directories:

    /etc/digicert/keystore/certs/EccTestKey.pem

    /etc/digicert/keystore/certs/EccTestKey.der

  3. Run the following command to download the bootstrap configuration file:

    curl -s -k --location https://${EST_HOST}/devicetrustmanager/api/v4/bootstrap-config/download --cert /etc/digicert/keystore/certs/EccTestKey.pem --key /etc/digicert/keystore/keys/EccTestKey.pem --header 'Accept: application/octet-stream' --output jitr_device_1601_bootstrap_config.zip --write-out %{http_code}

    Where jitr_device_1601_bootstrap_config.zip is the name of the zip file that you configure.

Step 7: Configure TrustEdge and initialize TrustEdge agent

  1. Run the following command to configure TrustEdge with the device’s bootstrap configuration zip file:

    sudo trustedge agent --configure --trustedge-user trustedge --trustedge-group trustedge --bootstrap-zip ./<bootstrap-config.zip>

    Nota

    If TrustEdge agent is already running as a service, this command will display a warning indicating that the service needs to be stopped. To proceed, stop the TrustEdge agent service, and then run the above command. For more information, see TrustEdge agent as a service.

  2. Run the following command to initialize TrustEdge agent:

    sudo systemctl start trustedge.service

    Nota

    What happens when you run this command? TrustEdge agent connects to Device Trust Manager to retrieve pending certificates or software updates, processes them, and enters into sleep state. TrustEdge agent will then periodically repeat this process according to the settings specified in the trustedge.json configuration file. You can watch this process in real-time by using the journalctl -f -u trustedge.service command.

Step 8: Verify device connection and applied policies

  1. Run the following command to verify that the policies have been applied by checking the configuration file.

    cat /etc/digicert/conf/*policy.json

    The output should confirm that the certificate management policy was executed as part of the provisioning process.

  2. In the Device Trust Manager, go to Device management > Devices.

  3. In the devices table, locate the device and confirmthat the Device state is Provisioned and the Connection status is Connected.

  4. Select the device to view its details.

  5. On the Certificates tab, confirm the presence of the bootstrap certificate.

En esta sección: