Skip to main content

Authentication policy

ヒント

Migrating from enrollment profiles? DigiCert​​®​​ IoT Trust Manager uses enrollment profiles to manage both credentials and certificate issuance. Device Trust Manager separates these functions into an authentication policy, which handles device authentication, and a certificate management policy, which controls certificate handling. This change allows the same credentials to be applied across multiple certificate management policies, offering greater flexibility and control.

Authentication policies in Device Trust Manager specify the credentials devices must use when requesting certificates. These policies can be applied to both device groups and certificate management policies to ensure that the correct credentials are applied to the right devices and protocols. These policies allow administrators to manage authentication at scale while maintaining security and flexibility across different certificate issuance protocols.

Supported credential types

Authentication policies can be used to specify a variety of credential types to define how devices authenticate for certificate requests.

1. Authentication policy supported credential types

Credential type

Description

Passcode

Typically a temporary code that can be used for limited or one-time authentication. Passcodes can be restricted by usage limits and validity periods.

Authentication certificate

Certificates issued to devices for secure, certificate-based authentication. These can also include usage limits and date constraints.

Authentication CA

Certificates issued by a Certificate Authority (CA). Devices can either share the same certificate or use unique ones issued by the CA. No usage limits apply to this method.

ACME credentials

ACME-based credentials used specifically for certificate management via the ACME protocol.


Credential properties

Both passcodes and authentication certificates support configuring additional properties to control how and when the credentials are used. These properties ensure that authentication can be fine-tuned for different requirements.

  • Usage limits: Specifies the number of times a credential can be used.

  • Valid from/Valid to: Defines the time period during which the credential is valid.

  • Registered values: Defines specific certificate subject information that must match when the credential is used.

Applying authentication policies

Authentication policies can be applied to both device groups and certificate management policies.

  • Device group: When an authentication policy is applied to a device group, it governs which credentials devices within that group must use to authenticate when requesting certificates. This setup allows administrators to assign specific authentication methods—such as passcodes or authentication certificates—to distinct sets of devices,

  • Certificate management policy: When an authentication policy is applied to a certificate management policy, it defines the types of credentials devices must use when requesting certificates through protocols such as SCEP, EST, or REST. This connection ensures that the appropriate security measures are applied based on the certificate issuance process.