Device creator guide
To perform this action, you must have a user role that contains the Device creator permission.
This role is intended for users registering devices individually or in batches. It is commonly assigned to production managers or staff at manufacturing facilities where devices are initialized and registered.
Tip
To learn more about devices, device properties, device attributes, and so on, see Device.
Request a certificate for managed devices
To perform this action, you must have a user role that contains the Device administrator permission.
Use this workflow to request a certificate for a specific device. This certificate is linked to a device record in Device Trust Manager, allowing you to manage the device throughout its lifecycle.
This is intended for organizations that need full device management capabilities, such as:
Tracking devices in a central inventory
Managing device lifecycles
Issuing bootstrap certificates for onboarding
Issuing operational certificates for ongoing device authentication
Opmerking
Requesting a device certificate for managed devices consumes an Advanced license.
Before you begin
Make sure your account has the
Device administratorpermission.Also verify that your
Solution Administratorhas already completed the following setup tasks:Created a device group
Created a certificate management policy
Prepared a CSV file containing device information, such as Device name, Description, and Subject Common Name (CN).
In the Device Trust Manager menu, go to Certificate management > Certificates.
Select Certificate actions > Request certificate.
From the Certificate request page, select Request certificate for > Managed device.
From the Device group list, select the device group that contains the device.
From the Certificate management policy list, select the policy associated with the device group.
On the Key generation type step, choose one of the available options:
I have the keypair and will provide the CSR or public key in the request:
Choose this option if you already have a key pair. You must upload a
CSV fileor aZIP filecontaining the device data.If needed, download the provided template to ensure the file is formatted correctly.
Key pairs will be generated on the server side by this application, and the private key and certificate will be included in response:
Choose this option if you want Device Trust Manager to generate the key pair for you.
Tip
Key generation type behavior
The Key generation type option is dynamically displayed based on the selected Device group and the associated Certificate management policy. Only the key generation methods that are supported by the chosen combination are presented to you.
Provide a Common name for the certificate.
Optionally, provide an Organization name.
Optionally, select Add Value to add one or more Organizational Unit values.
Optionally, enter a Description.
Select Submit certificate request.
What happens next
The certificate is issued and is associated with the device record.
You can download the certificate from Device Trust Manager.
If server-side key generation was selected (Key pairs will be generated on the server side by this application, and the private key and certificate will be included in response), the response also includes the generated private key.
Example scenario
A manufacturer needs to issue a bootstrap certificate to a newly produced IoT gateway before deployment. By requesting a certificate for managed devices, the manufacturer can create or associate a device record, issue the certificate, and manage the device throughout its operational lifecycle from a single platform.
Request a certificate for unmanaged devices
To perform this action, you must have a user role that contains the Device administrator permission.
Use this workflow to request a certificate that isn't associated with a device record in Device Trust Manager.
Unlike certificate requests for managed devices, Unmanaged device certificates are issued without creating or referencing a device. This option is designed for organizations that need certificate-based device identities but don't require device inventory, lifecycle management, or device tracking.
This is designed for organizations that only need device identity certificates, such as:
CSA Matter Device Attestation Certificates (DACs)
C2PA claim signing certificates
Manufacturing and provisioning workflows
Device identity certificates that don't require ongoing device management
When you request an Unmanaged device certificate, Device Trust Manager issues only the certificate. No device record is created.
Opmerking
Requesting a certificate for unmanaged devices consume an Essentials license.
Before you begin
Make sure your account has the
Device administratorpermission.Also verify that your
Solution Administratorhas already completed the following setup tasks:Created a certificate management policy
Prepared a CSV file containing device information, such as Device name, Description, and Subject Common Name (CN).
In the Device Trust Manager menu, go to Certificate management > Certificates.
Select Certificate actions > Request certificate.
From the Certificate request page, select Request certificate for > Unmanaged device.
From the Certificate management policy list, select the policy associated with the device group.
On the Key generation type step, choose one of the available options:
I have the keypair and will provide the CSR or public key in the request:
Choose this option if you already have a key pair. You must upload a
CSV fileor aZIP filecontaining the device data.If needed, download the provided template to ensure the file is formatted correctly.
Key pairs will be generated on the server side by this application, and the private key and certificate will be included in response:
Choose this option if you want Device Trust Manager to generate the key pair for you.
Tip
Key generation type behavior
The Key generation type option is dynamically displayed based on the selected Device group and the associated Certificate management policy. Only the key generation methods that are supported by the chosen combination are presented to you.
Provide a Common name for the certificate.
Optionally, provide an Organization name.
Optionally, select Add Value to add one or more Organizational Unit values.
Optionally, enter a Description.
Select Submit certificate request.
What happens next
After the certificate request is successfully processed:
The certificate is issued
No device record is created or associated with the certificate
You can download the certificate from Device Trust Manager
If server-side key generation was selected (Key pairs will be generated on the server side by this application, and the private key and certificate will be included in response),the response also includes the generated private key.
Example scenario
A device manufacturer needs to issue CSA Matter Device Attestation Certificates (DACs) during production. Because the certificates are used only to establish device identity and don't require lifecycle management, certificate requests for unmanaged devices provide a simple way to issue certificates without creating device records.
Device registration
Devices can be registered individually or in batches using a CSV template, with batch registrations processed as jobs. During registration, attributes and device group assignment are specified, ensuring that each device is properly categorized and managed.
Registration method | Description |
|---|---|
Single device | Devices can be manually registered one by one in Device Trust Manager. Devices can also be registered using EST, SCEP, or CMPv2. |
Multiple devices | Multiple devices can be registered at once using a CSV file that defines the device properties, including key/value pairs and group assignment. |
Tip
You can also register a single device or multiple devices using Device Trust Manager Management REST API.
Before you begin
To complete these steps, make sure you have:
A device group created. All registered devices must be assigned to a device group
A division configured with a certificate management policy for bootstrap certificates. The certificate management policy must have the Batch certificate request through portal and API certificate management method enabled
A CSV file containing device-specific details, such as device name, description, and subject common name
A client authentication certificate for encrypting the delivered keys and certificates. You can upload a new one or use an existing one from your profile
A user account with the Solution Administrator, Device Creator, or Device Administrator role
What’s next?
In the Device Trust Manager menu, go to Device management > Devices > Register devices > Register single device.
On the Device information step:
Enter a Device name.
Optionally, provide a Description.
From the Device group dropdown menu, choose the device group to which the registered device will be assigned.
Select Next.
On the Certificate management policies step:
Expand the Bootstrap certificate management policy for the device.
From the Bootstrap certificate management policy dropdown menu, select the Bootstrap certificate policy to use for this device.
Opmerking
The dropdown options display only those certificate management policies for the device group that uses the Register single device method.
The disabled fields are inherited from the chosen certificate management policy. These settings are predefined and cannot be modified here.
Under Certificate variables, enter the Common name for the certificate.
Add additional details as needed.
Click Register device.
If you selected DigiCert ONE to generate the keypairs, download the private key of the device and save it securely.
In the Device Trust Manager menu, go to Device management > Devices.
Select Register devices > Register multiple devices.
On the General settings step:
Enter a Batch Job name and, optionally, a Job description.
From the Device group dropdown menu, choose the device group to which the registered devices will be assigned.
Let op
Ensure that the selected device group has an assigned certificate management policy configured for Batch certificate request through Portal or API with policy usage set to Bootstrap.
Select Next.
On the Certificate request options step:
From the Bootstrap certificate management policy dropdown menu, select the Bootstrap certificate policy to use for the devices.
Optionally, select Assign certificate management policy to this device group to open the Assign certificate management policy pane.
Enter the Name of the policy assignment.
From the Assign Certificate management policy dropdown menu, choose a certificate management policy.
Expand the Device field mapping and map the inventory attributes to certificate fields.
Opmerking
If a certificate management policy uses EST, SCEP, or CMPv2 as the management method, then device field mapping is required.
For bootstrap certificate management policies, field mapping provides the values for identity attributes, which are obtained during certificate requests.
For operational certificate management policies, field mapping provides device identification using the CSR during the certificate issuance request process.
Optionally, choose an Authentication policy to assign to the device group.
Click Assign certificate management policy.
Select the Key type from the dropdown menu.
From the Private key encryption in batch response step, perform one of the following:
Select Encrypt using an authentication certificate from my Account Manager user profile and then select an appropriate certificate from the dropdown menu.
Select Provide a certificate for encryption and then provide your own certificate.
Alternatively, Generate a new certificate within your profile by specifying the required fields.
On the Batch request options step
Upload a CSV file or a zipped CSV file containing the device data. See the CSV format for registering multiple devices template for formatting guidance.
Optionally, add email addresses to receive notifications when the batch request is completed.
If necessary, select the Allow users without a login to this portal to download the batch file checkbox.
If necessary, select the Require passcode to download the batch file checkbox.
Select Start request to begin the batch registration job.
Click submit batch job request to begin the batch registrations.