DevID Certificates

DevID (Device Identifier) certificates are specified by the IEEE 802.1AR specification. LDevIDs are local DevID certificates. Version 3 of the HIRS Attestation Certificate Authority (ACA) added a "Generate LDevID Certificate" policy that will, when enabled via the ACA Portal policy page, generate a local DevID certificate upon successful validation as part of the provisioning process. This has several applications that may want to take advantage of the LDevID certificate:

• Zero trust implementations
• 802.1x EAP authentication
• Comply-to-Connect (C2C) scenarios

When the LDevID policy on the ACA is selected, the ACA will issue an LDevID certificate to the device signed by the ACA. The ACA will populate the certificate's Subject with the following mapping:

• CN=Manufacturer
• OU=Model
• SN=Serial Number

The ACA will meet the fields required by the TPM 2.0 Keys for Device Identity and Attestation specification.

Note that DevIDs are guaranteed to be unique and may contain a serial number, but may not contain expected information about a device (e.g. Manufacturer Model). Unlike Platform Certificates, IDevID certificates do not contain any attributes or component listing of the device.

The LDevID is signed by the ACA. The ACA Certificate chain used to validate the signature of either the LDevID Certificate or Attestation Certificate can be downloaded from the ACA portal's Trust Management page, via the downward arrow icon next to the "HIRS Attestation CA Certificate" label.