Concepts
DigiCert® Device Trust Manager uses several key concepts, each of which plays a critical role in managing and securing IoT devices. These concepts work together to provide granular control over device operations, security, and lifecycle management.
A core concept is a device group, which serves as the core organizational unit for devices. Every device must belong to a group. Device groups allow you to apply consistent security policies, certificate management, and updates across many devices at once, ensuring scalability and control over large device fleets.
The diagram below illustrates the main concept components and their relationships within Device Trust Manager.
![[en] Device Trust Manager concepts diagram](../../image/uuid-62c39093-ad70-7664-f5a6-d7cc3141962f.png "core-concepts-diagram-02.png")
Demonstrates how devices, groups, policies, certificates, and jobs are interconnected to deliver comprehensive device management.
Key concepts
Select the links for more information about each Device Trust Manager concept or feature.
Term | Description |
|---|---|
Includes the administrative users specified during enrollment, along with any private root and intermediate Certificate Authorities (CAs) requested. | |
The Automated Certificate Management Environment (ACME) protocol is a widely used protocol for automating the certificate issuance and management process. | |
A package that contains everything required to deploy an update to a device and can include software, firmware, metadata, and handling scripts. | |
Key/value pairs that define a device’s hardware and software details, enabling identification, remote configuration, management, auditing, and real-time status tracking. | |
Allows users and systems to securely interact with Device Trust Manager REST APIs. | |
Defines the credentials and methods devices can use when requesting certificates through different protocols, such as SCEP, EST, and REST. | |
Also known as a "birth" credential, is assigned to a device during manufacturing and stays with the device throughout its lifecycle. Acting like a birth certificate, this credential gives the device a unique identity to authenticate with Device Trust Manager. | |
Defines how certificates, including bootstrap and operational certificates, are issued, renewed, and revoked for devices. It outlines the protocols for certificate requests, keypair generation methods, and the use of certificate profiles and issuing CAs. | |
Used within the certificate management policy to configure specific attributes and settings for certificates issued to devices. It allows customizing key details such as subject fields, certificate extensions, and validity periods. | |
Defines key parameters and constraints for certificates issued within the certificate management policy. It establishes essential settings such as allowed key types and signature algorithms. | |
Defines the configuration required to automatically onboard and offboard devices to and from the OEM's preferred IoT platform, such as Azure Event Grid, AWS IoT, or Cumulocity IoT. | |
Certificate Management Protocol Version 2 (CMPv2) facilitates the secure and automated management of digital certificates. It enables IoT devices to request, renew, update, and revoke X.509 certificates in a standardized manner. | |
Delivers software updates (releases) to device groups. Once a deployment is created, Device Trust Manager rolls out the release to both static and dynamic device groups. | |
A connected physical unit or a product with sensors, chips, and connectivity, such as BLE (Bluetooth Low Energy) or Wi-Fi. These are typically manufactured by OEMs and managed in Device Trust Manager. | |
An organizational unit in Device Trust Manager that streamlines device management by grouping devices for policy application, updates, and configurations. | |
Enrollment over Secure Transport (EST) offers a secure and scalable method for IoT devices to enroll in X.509 certificates via HTTP or HTTPS. As an evolution of the Simple Certificate Enrollment Protocol (SCEP), EST improves security and flexibility for certificate issuance, renewal, and management in automated environments. | |
A Certificate Authority (CA), assigned to your account. It is used for signing and issuing x.509 certificates to devices. These signed certificates can either be bootstrap or operational certificates. These are used to establish device identities and authenticate devices. | |
Long-running operations that perform batch tasks, such as registering many devices or processing deployments. | |
A comprehensive process that guides a device from initial setup to full operational readiness within Device Trust Manager. It includes essential steps such as device authentication, software updates, and, if needed, obtaining operational certificates for secure communication. | |
Establish a secure connection and enable device management. Once the status of the device is set to Registered, the device can interact with Device Trust Manager. | |
A software update package in Device Trust Manager that consists of one or more artifacts. It enables the delivery of controlled and efficient updates to devices. | |
A highly scalable core service that handles communications between TrustEdge agent-equipped devices. Rendezvous uses distinct device rendezvous zones (DRZs) located across the globe to reduce latency and improve response times based on device proximity. | |
The Simple Certificate Enrollment Protocol (SCEP) is a widely adopted protocol used for managing X.509 certificate enrollment. It provides a streamlined and standardized approach for requesting and renewing certificates in Public Key Infrastructure (PKI) environments. | |
User-defined identifiers in Device Trust Manager that provide a way to assign metadata to entities, such as device groups, policies, and devices. | |
A compiled binary application that enables secure communication between an IoT device and Device Trust Manager. |