Part 2: Configure Device Trust Manager

Now that the initial access is set up, the next step is to configure DigiCert® Device Trust Manager for secure device management. This section helps you create divisions, define authentication policies, and set up certificate profiles.

Objectives

Create divisions to organize devices by business needs.
Set up authentication policies to manage device access.
Configure certificate profiles and management policies for certificate issuance.

Before you begin

Your Account Administrator completed all steps in Part 1: Initial access and setup.
Reviewed the following concepts: Division, Authentication policy, Certificate profiles, and Certificate management policy.
A user account with the Solution Administrator role.

To start initial configuration of Device Trust Manager, complete the following steps:

Step 1: Create a division and configure Rendezvous zones

Divisions allow you to create “subtenants” within aDevice Trust Manager account. This allows you to manage devices according to criteria such as location, function, or business unit.

Note

Device Trust Manager Rendezvous provides distinct zones, called Device Rendezvous Zones (DRZs), that are located across the globe to reduce latency and improve response times based on device proximity. After creating a division, a primary and secondary zone for Rendezvous can be configured.

Sign in to DigiCert® ONE as a Solution Administrator.
In DigiCert ONE, in the Manager menu (grid at top right), select Device Trust.
In the Device Trust Manager menu, select Divisions.
On the Divisions page, select Create new division.
Enter a Name and, optionally, a description.
Select Create new division to save.
On the Divisions page, select the created division to view its details.
On the Division details page, expand the Rendezvous zones assigned to division section.
On the Primary zone tab, choose a Rendezvous zone from the dropdown and select Add zone.
(Optional) On the Secondary zone tab, select a backup Rendezvous zone and select Add zone.

Step 2: Create an authentication policy

Authentication policies support multiple credentials, including passcodes, authentication certificates, and authentication CAs.

Tip

A single authentication policy can be assigned to multiple device groups and certificate management policies.

In the Device Trust Manager menu, select Authentication management > Authentication policies.
Select Create authentication policy.
Enter a Name and, optionally, a description.
Select Create new authentication policy to save.

Step 3: Add a passcode to an authentication policy

Passcodes are one of the methods that can be used for device authentication and certificate requests using protocols such as SCEP, EST, and CMPv2.

In the Device Trust Manager menu, select Authentication management > Authentication policies.
Select Create passcode.
Enter a Name and, optionally, a description.
Under Assign or create an authentication policy, choose the policy created in Step 2: Create an authentication policy.
If necessary, configure additional passcode settings, such as usage restrictions.
Select Create passcode to save.

Important

When using a passcode for API authentication, make sure to set the header to x-passcode instead of x-api-key.

Step 4: Create a certificate profile

Certificate profiles define essential settings for certificate issuance. You can set default values for subject distinguished names, customize the certificate validity period, and enable or disable specific extensions as needed.

In the Device Trust Manager menu, select Certificate management > Certificate profiles.
Select Create certificate profile.
Enter a Name for the certificate profile.
Use DigiCert ONE as the CA source or choose one from the list.
Under Template, select either End entity or Intermediate CA, depending on your requirement.
Choose a certificate template that the certificate profile will use. Configurable custom field options are loaded based on the template you choose.
Note
A certificate template defines the key parameters and constraints for certificates issued within a certificate management policy. It establishes essential settings such as allowed key types, signature algorithms, and the fields included in the certificate.
Note
Certificate templates are created and customized for your organization by DigiCert®. If no certificate templates appear on the Certificate templates page, or if you require modifications or a new template, contact you DigiCert® account representative.
Certificate templates standardize the attributes of certificates issued to devices by defining core elements that must be present in each certificate. This consistency ensures that certificates meet technical, security, and regulatory requirements.
If no certificate templates are available, contact your DigiCert account representative to request a custom template tailored to your needs.
Select if All divisions can use the certificate profile or only Specific divisions.
Configure custom field options as required. For example, default values or renewal settings.
Enable at least one subject attribute from the available list or mark the SAN extension in the template as critical.
The available list of subject attributes includes Common name, Organization name, Organization unit, and address fields.
Select Create to save the certificate profile.

Step 5: Create a certificate management policy

A certificate management policy defines how certificates, including bootstrap certificates and operational certificates, are issued, renewed, and revoked for devices.

Devices must use a bootstrap certificate to authenticate with the Rendezvous service. The bootstrap certificate allows the devices to request short-lived X.509 operational certificates.

While bootstrap and operational certificates are typically obtained through the certificate management method, other approved methods and protocols are also used for certificate issuance and management. For details, see Certificate management policies.

Create a certificate management policy for bootstrap certificates

A bootstrap certificate is a long-lived x.509 certificate. Bootstrap certificates typically have a validity period covering the device's lifespan—for example, ten years. These "birth" certificates enable devices to securely communicate with Device Trust Manager. Bootstrap certificates are also used to request operational certificates and during device onboarding.

Important

Make sure to store the private key in a TPM, Secure Element, or Trusted Execution Environment to protect against unauthorized access and tampering.

Before you begin

To complete these steps, ensure you:

Sign in to DigiCert® ONE as a Solution Administrator.
In DigiCert ONE, in the Manager menu (grid at top right), select Device Trust.
In the Device Trust Manager menu, select Certificate management > Certificate management policies.
Select Create certificate management policy.
On the General certificate management policy settings page:
1. Enter a Name for the bootstrap certificate policy.
2. Select the Division you created.
3. Select the required certificate management model.
4. Select Single certificate request through portal and REST API and register a single device under Certificate management methods.
5. Select an Authentication policy from the dropdown menu (optional).
  You can use the credentials defined in an authentication policy to authenticate API requests. When you assign a certificate management policy to a device group, you can also link it to an authentication policy. For devices in that group, the authentication policy set at the device group level always overrides the one associated with the certificate management policy.
Click Next.
On the Certificate settings page:
1. Select either an End entity certificate profile or an intermediate certificate profile from the dropdown menu.
2. Select an Issuing CA from the dropdown menu.
3. Select Server-side keypair generation from the Keypair generation settings section.
  DigiCert® generates keypair for certificate issuance. When selecting this option, specify the default key type and size, such as RSA 2048 or P-256.
4. (Optional) if required, select the Allow the request to select the key and key size at the time of their certificate request checkbox.
5. (Optional) if required, select the Allow the requestor to select local or server-side keypair generation at the time of their certificate request checkbox.
Click Next.
On the Certificate management method settings page:
1. Expand the Single certificate request through portal and API section.
  Note
  Your selected certificate management methods must align with the settings in the certificate profiles. If there are no certificate profiles that support the selected protocols, you will not be able to create a certificate management policy.
2. Follow the on-screen instructions and select the required fields.
Click Finish to create a certificate management policy for bootstrap certificates.

Create a certificate management policy for operational certificates

Before you begin

To complete these steps, ensure you:

Sign in to DigiCert® ONE as a Solution Administrator.
In DigiCert ONE, in the Manager menu (grid at top right), select Device Trust.
In the Device Trust Manager menu, select Certificate management > Certificate management policies.
Select Create certificate management policy.
On the General certificate management policy settings page:
1. Enter a Name for the operational certificate policy.
2. Select the Division you created.
3. Select Policy will be used for secure device lifecycle management. Requires an Advanced license from the Select the certificate management model section.
4. Select DigiCert TrustEdge agent under Certificate management methods.
5. Select an Authentication policy from the dropdown menu (optional).
Click Next.
On the Certificate settings page:
1. Select either an End entity certificate profile or an intermediate certificate profile from the dropdown menu.
2. Select an Issuing CA from the dropdown menu.
3. Select Local keypair generation from the Keypair generation settings section.
  The requestor generates the keypair locally and includes the public key in their Certificate Signing Request (CSR). This is recommended for TrustEdge management-based operational certificates.
Click Next.
On the Certificate management method settings page:
1. Expand the Manage certificates using the DigiCert TrustEdge Agent section.
2. Select the required Certificate request format from the dropdown menu.
3. (Optional) Request a format specification from the dropdown menu.
4. (Optional) Specify a Certificate private key alias in the text box.
  An alias is a unique identifier for a key on a device, used to distinguish between multiple keys and ensure the correct one is used for specific operations.
5. (Optional) Select an appropriate Key algorithm from the dropdown list.
6. From the Define how the agent will generate certificate values, select either any expression (Use an expresssion evaluated by the TrustEdge agent to provide a certificate value) or provide a default certificate value.
  Note
  What are these used for? These selected attributes are used to create an identity attribute for a device. This identity attribute of the device must be unique across your fleet to ensure reliable device identification and management. See Attributes to learn more.
7. Select Client-side software from the Private key generation dropdown menu.
Click Finish to create a certificate management policy for operational certificates.

Review your progress

At this stage, Device Trust Manager is configured with divisions, authentication policies, and certificate management policies (bootstrap and operational certificates). You should now have:

A division created to organize devices and other entities
Authentication policies and passcodes are set up for secure access
Certificate profiles and management policies are defined for controlled certificate issuance

What’s next?

Continue to Part 3: Set up device management to configure your device management structure.