Authentication
Management API
Certificate APIs
Device Trust Manager offers various APIs for device management and certificate issuance, each supporting multiple authentication methods.
The following table lists authentication options by API
Category | API | Purpose | Controlled by | Authentication options |
|---|---|---|---|---|
Management | REST | Device Trust Manager management tasks such as creating divisions, certificate management policy, device groups, Devices, and so on. | DigiCert® Account Manager |
|
Certificate | REST | Certificate issuance/renewal | Device Trust Manager Authentication policy |
|
Certificate | EST | Certificate issuance/renewal | Device Trust Manager Authentication policy |
|
Certificate | SCEP | Certificate issuance/renewal | Device Trust Manager Authentication policy |
|
Certificate | ACME | Certificate issuance/renewal | Device Trust Manager Authentication policy |
|
Certificate | CMPv2 | Certificate issuance/renewal | Device Trust Manager Authentication policy | ACME credentials |
Management API
The Management API allows connected product platforms and manufacturing systems to interact with Device Trust Manager. Use this API to perform administrative and device management tasks such as creating divisions, certificate management policies, device groups, and devices.
See the Swagger specification for a full list of supported operations.
Authentication options
Authentication certificate: A client authentication X.509 certificate used for mutual TLS (mTLS). The API client includes the trusted certificate in the request. Add the
clientauthprefix to the base URL for the endpoint. (For example,https://clientauth.one.digicert.com). Do not include thex-api-keyheader.API key: Use the
x-api-keyHTTP header to authenticate requests.
Create and manage authentication certificates and API keys in Account Manager.
Tip
Although an API key and an authentication certificate can be created for users, DigiCert® recommends creating a Service User (service account) with an API key or an authentication certificate. This will ensure API keys and certificates remain valid even if a user leaves your organization.
For more details on REST APIs, see the Get started section in the Developer guides.
Certificate APIs
Devices and factory systems can request or renew X.509 certificates through the Certificate APIs. Device Trust Manager supports numerous industry standard certificate issuance/renewal APIs, including:
EST - See Configure and use EST
SCEP - See Configure and use SCEP
REST - See Configure and use REST
CMPv2 - See CMPv2-Certificate Management Protocol version 2
ACME - See Automated Certificate Management Environment Protocol (ACME)
You can configure different types of authentication options for the Certificate APIs through Device Trust Manager Authentication policies.
The following authentication options are available:
Passcode: An HTTP header
x‑passcodein your request that is used in API clients to authenticate.Authentication certificate: A single x.509 certificate that is used in API clients to perform mutual TLS (mTLS) authentication. The API client includes the trusted certificate in the request. The client must add the prefix
clientauthto the base URL for the endpoint (for example, https://clientauth.one.digicert.com). Do not include thex-passcodeheader.Authentication CA: Similar to Authentication certificate, with the exception that you upload a CA certificate in this case. Device Trust Manager trusts any API client that presents a certificate signed by the CA certificate.
ACME credential: An asymmetric keypair. This is only applicable when using ACME.
Both Passcodes and Authentication certificates support configuring additional properties to control how and when the credentials are used. These properties ensure that authentication can be fine-tuned for different requirements.
Usage limits: Specifies the number of times a credential can be used.
Valid from/Valid to: Defines the period during which the credential is valid.
Registered values: Defines specific certificate subject information that must match when the credential is used.
Authentication policies can be assigned to a Certificate management policy and/or a Device group. See Authentication policy management.