Part 2: Configure Device Trust Manager
Now that initial access is set up, the next step is to configure DigiCert® Device Trust Manager for secure device management. This guide will help you create divisions, define authentication policies, and set up certificate profiles.
Objectives
Create divisions to organize devices by business needs.
Set up authentication policies to manage device access.
Configure certificate profiles and management policies for certificate issuance.
Before you begin
Your Account Administrator completed all steps in Part 1: Initial access and setup.
Reviewed the following concepts: Division, Authentication policy, Certificate profiles, and Certificate management policy.
A user account with the Solution Administrator role.
To start initial configuration of Device Trust Manager, complete the following steps:
Step 1: Create a division and configure Rendezvous zones
Divisions allow you to create “subtenants” within a Device Trust Manager account. This allows you to manage devices according to criteria such as location, function, or business unit.
注意
Device Trust Manager Rendezvous provides distinct zones, called Device Rendezvous Zones (DRZs), that are located across the globe to reduce latency and improve response times based on device proximity. After creating a division, a primary and secondary zone for Rendezvous can be configured.
Sign in to DigiCert® ONE as a Solution Administrator.
In DigiCert ONE, in the Manager menu (grid at top right), select Device Trust.
In the Device Trust Manager menu, select Divisions.
On the Divisions page, select Create new division.
Enter a Name and, optionally, a description.
Select Create new division to save.
On the Divisions page, select the created division to view its details.
On the Division details page, expand the Rendezvous zones assigned to division section.
On the Primary zone tab, choose a Rendezvous zone from the dropdown and select Add zone.
(Optional) On the Secondary zone tab, select a backup Rendezvous zone and select Add zone.
Step 2: Create an authentication policy
Authentication policies serve as a sort of container for multiple credentials, including passcodes, authentication certificates, and authentication CAs.
提示
A single authentication policy can be assigned to multiple device groups and certificate management policies.
In the Device Trust Manager menu, select Authentication policy.
Select Create authentication policy.
Enter a Name and, optionally, a description.
Select Create new authentication policy to save.
Step 3: Add a passcode to an authentication policy
Passcodes are one of the methods that can be used for device authentication and certificate requests using protocols such as SCEP, EST, and CMPv2. Authentication methods are assigned to authentication policies.
In the Device Trust Manager menu, select Authentication policy > Passcodes.
Select Create passcode.
Enter a Name and, optionally, a description.
Under Assign or create an authentication policy, choose the policy created in Step 2: Create an authentication policy.
If necessary, configure additional passcode settings, such as usage restrictions.
Select Create passcode to save.
重要
When using a passcode for API authentication, make sure to set the header to x-passcode
instead of x-api-key
.
Step 4: Create a certificate profile
Certificate profiles define essential settings for certificate issuance. You can set default values for subject distinguished names, customize the certificate validity period, and enable or disable specific extensions as needed.
In the Device Trust Manager menu, select Certificate management > Certificate profiles.
Select Create certificate profile.
Enter a Name for the certificate profile.
Use DigiCert ONE as the CA source, or choose one from the list.
Under Template, select either End entity or Intermediate CA, depending on your needs.
Choose a certificate template that the certificate profile will use. Configurable custom field options are loaded based on the chosen template.
注意
Select if All divisions can use the certificate profile or only Specific divisions.
Configure custom field options as required. For example, default values or renewal settings.
Select Create to save the certificate profile.
Step 5: Create a certificate management policy
Certificate management policies link components and protocols that determine certificate issuance and management settings.
In the Device Trust Manager menu, select Certificate management > Certificate management policies.
Select Create certificate management policy.
On the General settings step:
Enter a Name for the policy.
Select the Division created in Step 1: Create a division and configure Rendezvous zones.
Select whether certificates issued with this policy will be associated with a device group or not.
For Certificate management methods, select the protocols permitted by this policy. For example, Single certificate request through portal and API, SCEP, and EST.
注意
The selected certificate management methods must align with the settings in the certificate profiles. If there are no certificate profiles that support the chosen protocols, you won’t be able to create the certificate management policy.
Select Next.
On the Certificate settings step:
Choose a certificate profile to use with this policy.
Choose the issuing CA that will be used to sign certificates.
For Keypair generation settings, select who will generate keypairs: the device, DigiCert®, or both.
Local keypair generation: The device generates the keypair locally for certificate issuance.
Server-side keypair generation: DigiCert® generates the keypair for certificate issuance. When selecting this option, specify the default key type and size, such as RSA 2048 or P-256.
Allow the requestor to select local or server-side keypair generation at the time of their certificate request: Provides flexibility by enabling the device or client to choose either local or server-side keypair generation based on their needs at the time of the request. When selecting this option, specify the default key type and size, such as RSA 2048 or P-256.
Select Next.
On the Certificate management method settings step:
Under Single certificate request through portal and API:
Change any of the default portal and API certificate request settings as needed.
Select Next.
On the Usage restrictions (optional) step:
Unless specific usage restrictions are required, leave the default values as they are.
Select Finish to complete the setup and save the certificate management policy.
Review your progress
At this stage, Device Trust Manager is configured with divisions, authentication policies, and certificate management policies. You should now have:
A division created to organize devices and other entities
Authentication policies and passcodes set up for secure access
Certificate profiles and management policies defined for controlled certificate issuance
What’s next?
Continue to Part 3: Set up device management to configure your device management structure.