Skip to main content

Device Trust Manager API

DigiCert® Device Trust Manager API lets you automate device identity management, certificate lifecycle operations, and software deployment for your IoT and connected device fleet.

What you can do

  • Manage devices: Register, organize, and control device lifecycle states across your fleet.

  • Issue and manage certificates: Automate certificate enrollment, renewal, and revocation for device identities.

  • Deploy software: Create artifacts, manage releases, and orchestrate deployments to device groups.

  • Configure policies: Define certificate and authentication policies to control device access and identity requirements.

  • Monitor operations: Query audit logs to track device activities, certificate operations, and deployment status.

Tip

See Get started for complete details on making your first API called to DigiCert® ONE APIs.

Authentication

Base URL and endpoints

DigiCert​​®​​ provides both production and demo environments across four geographic regions. Each API call starts with a region-specific hostname (base URL), followed by a predictable versioned path.

Table 3. Device Trust Manager API URL pattern breakdown

Segment

Description

Device Trust Manager examples

{hostname}

DigiCert® ONE hostname

one.digicert.com

demo.one.digicert.com

one.digicert.co.jp

{product}

DigiCert® ONE product-specific path segment

/devicetrustmanager (Device Trust Manager)

api/v{n}

API version

/api/v4 (device management)

/api/v2 (certificate operations)

/api/v1 (authentication services)

/{resource}/api/v{n} *

{resource}

Specific endpoint path

/device

/device/{device_id}

/device-group

/certificate

/artifacts/api/v4/artifact *


* Some Document Trust Manager API endpoints use a slightly different versioning pattern.

Device lifecycle states

Devices in Device Trust Manager progress through distinct lifecycle states. Understanding these states helps you manage device operations effectively.

Table 4. Device lifecycle states and transitions

State

Description

Common transitions

Registered

Device is registered but not yet provisioned with certificates

→ Provisioned

Provisioned

Device has been issued certificates and is operational

→ Disabled, Deleted

Disabled

Device is temporarily inactive; certificates remain valid

→ Enabled (returns to Provisioned)

Deleted

Device is permanently removed; cannot be restored

Terminal state


Note

Devices must be registered before they can receive certificates. Use the /devicetrustmanager/api/v4/device/registration endpoint to create devices, then issue certificates through certificate policies.

Software deployment workflow

Device Trust Manager provides a structured workflow for deploying software updates to your device fleet:

  1. Artifacts: Upload software packages or firmware images. An artifact represents the actual binary or package you want to deploy.

  2. Releases: Associate artifacts with specific device groups. A release defines which artifact version should be deployed to which devices.

  3. Deployments: Execute the deployment to push releases to target devices. Monitor deployment status and abort if needed.

This three-tier approach separates software management (artifacts), deployment planning (releases), and execution (deployments), giving you precise control over your update strategy.

Roles and permissions

Assigned roles determine a user’s permissions. Roles are manager-specific and provide a granular permission structure.

Use the /account/api/v1/role endpoint to see available roles for Device Trust Manager:

curl -X GET https://demo.one.digicert.com/account/api/v1/role?application_code=device_manager \
  -H "x-api-key: USER_API_TOKEN" \
  -H "Content-Type: application/json" | jq '.'

Important considerations

  • Device deletion is permanent. Deleting a device immediately invalidates all associated certificates and removes the device from all groups. This cannot be reversed.

  • Certificate policies define enrollment behavior. Before devices can request certificates, you must create certificate policies that specify certificate templates, validity periods, and approval workflows.

  • Divisions organize your device fleet. Use divisions to create organizational boundaries. Devices, device groups, and policies belong to divisions, allowing you to delegate management to different teams.

  • Batch operations for scale. Use batch enrollment endpoints for bulk operations like registering hundreds of devices or uploading authentication certificates at once.

  • Deployment monitoring is critical. Always monitor deployment status using the deployment summary endpoint. Abort deployments that encounter errors to prevent fleet-wide issues.

Common operations

Table 5. Common Device Trust Manager API operations

Method

Endpoint

Description

POST

/devicetrustmanager/api/v4/device/registration

Register a new device; required before certificate issuance

GET

/devicetrustmanager/api/v4/device

List all devices; use query parameters to filter by status ?status=PROVISIONED

GET

/devicetrustmanager/api/v4/device/{device_id}

Get details for the specified device

POST

/devicetrustmanager/certificate-issuance-service/api/v2/certificate

Request a certificate for a device using a certificate policy

PUT

/devicetrustmanager/certificate-issuance-service/api/v2/certificate/{certificate_id}/revoke

Revoke a certificate by ID; use for compromised devices

POST

/devicetrustmanager/artifacts/api/v4/artifact

Create a new artifact for software deployment

POST

/devicetrustmanager/release/api/v4/deployment

Create and execute a deployment to push software to devices

GET

/devicetrustmanager/api/v4/device-group

List device groups; use to organize devices by location, type, or function

GET

/devicetrustmanager/audit-log-service/api/v1/audit-log

View audit logs; track device operations and certificate lifecycle events


In this section: