- DigiCert developer portal
- TrustEdge
- Install and configure
- Configure TrustEdge
Configure TrustEdge
TrustEdge uses several configuration files to manage its settings and credentials. Understanding these files allows you to customize TrustEdge according to your needs.
trustedge.json: Main configuration file defining directory paths, proxy settings, TrustEdge agent behavior, and logging.bootstrap_config.json: Provides TrustEdge agent with Device Trust Manager endpoints and credentials.
trustedge.json
Location:
/etc/digicert/trustedge.jsonPurpose: Defines key configuration settings used by TrustEdge.
Example content:
{
"directory_paths": {
"bin_dir": "/usr/bin",
"lib_dir": "/usr/lib",
"conf_dir": "/etc/digicert/conf",
"keystore_dir": "/etc/digicert/keystore"
},
"proxy": {
"url": null
},
"agent": {
"bootstrap":"<path>/bootstrap_config.json",
"workspace_dir":"<path>",
"connection_uptime_interval": 360,
"keepalive_interval": 30,
"sleep_interval": 18000,
"action_handler_timeout": 120,
"enforce_token": false,
"log_payload": true,
"policy_timestamp_window": 10,
"max_retry_count": 7,
"chunk_supported":true,
"chunk_size": 131072,
"chunk_window_size": 4
},
"certificate": {
"service_dir": "/etc/digicert/service",
"polling_interval": "1",
"renewal_hours": "360",
"mode": "scep"
},
"service": {
"mode": "certificate"
},
"api": {
"mode": "https",
"port": 8443,
"num_process": 5,
"num_resource": 5,
"server_keycert_alias": "te-api-server",
"server_hostname": "localhost"
},
"cloud_provider":{
"provider_creds_dir":"/etc/digicert/cloudprovider"
},
"log": {
"loglevel": "ERROR|WARNING|DEBUG|INFO|VERBOSE"
}
}Key | Type | Description | Default value |
|---|---|---|---|
|
| Container for binaries, libraries, configuration files, and the default keystore filepaths. | |
|
| Directory where the TrustEdge binary is installed. |
|
|
| Directory where TrustEdge libraries are stored. |
|
|
| Directory containing configuration files. |
|
|
| Default keystore directory for storing certificates, keys, and requests. |
|
|
| Defines the proxy settings for TrustEdge. | |
|
| URL of the proxy server. If |
|
|
| Container for settings related to TrustEdge agent configuration. | |
|
| Path to the bootstrap configuration file for initializing the TrustEdge agent. |
|
|
| Directory used for temporary files and workspace data during TrustEdge operations. |
|
|
| Indicates if the token enforcement is enabled or not. |
|
|
| Time, in seconds, that the agent stays connected to the broker. |
|
|
| Time, in seconds, for MQTT keep-alive messages ( Service mode only |
|
|
| Time, in seconds, for the agent to sleep before attempting to connect again. Service mode only |
|
|
| Time, in seconds, to wait for the artifact handler to complete. |
|
|
| If set to true, agent will dump hex string of inbound and outbound message payloads. |
|
|
| The allowed period, in seconds, that defines the validity of a policy message. |
|
|
| Determines how many consecutive networking or MTT failures the agent tolerates before it enters a sleep state |
|
|
| The agent will break data into smaller chunks for processing or transmission, where chunking is supported. |
|
|
| The agent does not accept update artifact chunks larger than the specified size. |
|
|
| The agent handles up to the specified number of payload chunks simultaneously before processing additional ones. |
|
|
| Container for certificate management and renewal settings. | |
|
| Directory where the certificate service files are stored. |
|
|
| Time, in seconds, for polling the certificate service. |
|
|
| The number of hours before expiry to start the renewal process. By default, the system attempts certificate renewal 360 hours (15 days) before expiry. |
|
|
| Certificate management mode. Allowed values: |
|
|
| Container for service mode and reconnection behavior settings. | |
|
| Operation mode for the service. Allowed values: |
|
|
| Time interval, in seconds, to start the backoff timer for reconnection. |
|
|
| Defines logging configuration for TrustEdge. | |
|
| Logging level. Allowed values: ERROR, WARNING, DEBUG, INFO, VERBOSE |
|
|
| TrustEdge Service provided REST APIs to deliver specific functionality to applications running on the device. | |
|
| Specifies whether the API runs in http or https mode. |
|
|
| Specifies the TCP port for connecting to the server. |
|
|
| Specifies the maximum number of processes that can subscribe to resources. |
|
|
| Specifies the maximum number of resources that can be subscribed to by processes. |
|
|
| Alias for the server’s TLS certificate and private key, used in HTTPS mode |
|
|
| SNI value used by the client in HTTPS mode. |
|
|
| Path to the directory where the system stores the cloud provider credentials in a JSON format. |
|
bootstrap_config.json
Warning
Do not edit the bootstrap_config.json file. Modifying this file may cause unexpected behavior or disrupt Device Trust Manager communications.
Location:
/etc/digicert/conf/bootstrap_config.jsonPurpose: Provides the agent with Device Trust Manager MQTT endpoints and credentials.
Example content:
{
"configuration": {
"device_id": "<device_id>",
"account_id": "<account_id>",
"division_id": "<division_id>",
"device_group_id": "<device_group_id>",
"rendezvous_configuration": {
"mqtt_endpoint": {
"primary": ["mqtt://demo.one.digicert.com:1883"]
},
"persist_connection": false
},
"system_attributes": [
{ "key": "location" },
{ "key": "hardware_model" },
{ "key": "serial_number" },
{ "key": "operating_system" },
{ "key": "firmware_version" },
{ "key": "mac_address" },
{ "key": "ip_address" }
],
"authentication": [
{
"method": "x509",
"key_source": "SW",
"certificate_serial_number": "111111111111111111",
"certificate_issuer": "RSA 2048 ICA",
"cert_alias": "device1.crt",
"key_alias": "device1-key.crt"
}
]
}
}Field | Type | Description | Required |
|---|---|---|---|
|
| Unique identifier for the device. Used as the device ID when connecting to Device Trust Manager. Used as the client ID with MQTT communications. | Yes |
|
| The account ID associated with the device. | Yes |
|
| Identifier for the division to which the device belongs. | Yes |
|
| Identifier for the device group to which the device belongs. | Yes |
|
| Contains connection settings for the rendezvous service. | Yes |
|
| MQTT endpoint configuration details. | Yes |
|
| Fully qualified domain name (FQDN) of the primary MQTT endpoint. | Yes |
|
| Array of strings representing backup MQTT endpoints for redundancy. | No |
|
| Array of objects containing authentication credentials required to connect to the rendezvous service. | Yes |
|
| Authentication method, e.g., | Yes |
|
| PEM encoded private key in PKCS #8 format. | Yes |
|
| PEM encoded certificate. | Yes |
|
| Determines if the connection to the rendezvous endpoint should be persistent ( | Yes |
|
| Array of key-value pairs representing device-specific attributes. | No |
|
| Attribute key, e.g., | Yes |
|
| Attribute value, e.g., | Yes |
|
| Array of key-value pairs representing system-specific attributes. | No |
|
| System attribute key, e.g., | Yes |
|
| Optional attribute value. If not provided, the device will attempt to populate it; if unsuccessful, it’s skipped. | No |
|
| Array of key-value pairs representing user-defined attributes. | No |
|
| User-defined attribute key, e.g., | Yes |
|
| User-defined attribute value, e.g., | Yes |
|
| Array of key-value pairs representing default attributes. | No |
|
| Default attribute key, e.g., | Yes |
|
| Default attribute value, e.g., | Yes |