Authentication policy management

An authentication policy in DigiCert® Device Trust Manager defines the credentials and methods that devices can use when requesting certificates through different protocols, such as SCEP, EST, and REST. Authentication policies can be applied to both device groups and certificate management policies.

Tip

Migrating from enrollment profiles? DigiCert® IoT Trust Manager uses enrollment profiles to manage both credentials and certificate issuance. Device Trust Manager separates these functions into an authentication policy, which handles device authentication, and a certificate management policy, which controls certificate handling. This change allows the same credentials to be applied across multiple certificate management policies, offering greater flexibility and control.

Authentication policies in Device Trust Manager specify the credentials devices must use when requesting certificates. These policies can be applied to both device groups and certificate management policies to ensure that the correct credentials are applied to the right devices and protocols. These policies allow administrators to manage authentication at scale while maintaining security and flexibility across different certificate issuance protocols.

Supported credential types

Authentication policies can be used to specify a variety of credential types to define how devices authenticate for certificate requests.

tabel 1. Authentication policy supported credential types

Credential type	Description
Passcode	A temporary code that can be used for limited or one-time authentication. Passcodes can be restricted by usage limits and validity periods.
Authentication certificate	Certificates issued to devices for secure, certificate-based authentication. These can also include usage limits and date constraints.
Authentication CA	Certificates issued by a Certificate Authority (CA). Devices can either share the same certificate or use unique ones issued by the CA. No usage limits apply to this method.
ACME credentials	ACME-based credentials used specifically for certificate management via the ACME protocol.

Belangrijk

Authentication policies and associated credentials define how devices authenticate when requesting certificates via SCEP, EST, REST, or ACME. These policies apply only to devices and do not govern user authentication or API access. For details on user management, API access, and service users, see DigiCert® Account Manager documentation.

Credential properties

Both passcodes and authentication certificates support configuring additional properties to control how and when the credentials are used. These properties ensure that authentication can be fine-tuned for different requirements.

Usage limits: Specifies the number of times a credential can be used.
Valid from/Valid to: Defines the period during which the credential is valid.
Registered values: Defines specific certificate subject information that must match when the credential is used.

Applying authentication policies

Authentication policies can be applied to both device groups and certificate management policies.

Device group: When an authentication policy is applied to a device group, it governs which credentials devices within that group must use to authenticate when requesting certificates. This setup allows administrators to assign specific authentication methods—such as passcodes or authentication certificates—to distinct sets of devices.
Certificate management policy: When an authentication policy is applied to a certificate management policy, it defines the types of credentials devices must use when requesting certificates through protocols such as SCEP, EST, or REST. This connection ensures that the appropriate security measures are applied based on the certificate issuance process.

Certificate management policy versus device group

When a device requests a certificate, it uses an authentication policy. Which policy gets used depends on how the certificate policy is set up for the device group.

If you assign a certificate management policy to a device group, the authentication rules defined in that certificate management policy is used.
If you do not assign a certificate management policy to a device group (for example, if you’re using a Essentials plan), the authentication rules defined when you created the certificate management policy are used.
When a policy is tied to a device group, the authentication policy chosen during policy creation for that device group is applied.
For example, your EST enrollment endpoint URL may resemble:
```
https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_<device-group-id>/device-group/<group-id>/simpleenroll
```
Device in a group, includes /device-group/<group-id>/
When a policy is not tied to a device group, the authentication policy chosen when the certificate management policy was created is applied.
For example, your EST enrollment endpoint URL may resemble:
```
https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_<device-id>/simpleenroll
```
Device not in a group, includes only the specific /IOT_<device-id>/

What’s next?

Create an authentication policy

In deze sectie: