This how-to guide about issuing device certificates with CMP and external key generation outlines how to issue device certificates at the time of production and design a birth certificate issuing process using the Identity Authority Manager (IdAM).

For demonstration purposes and to provide real examples, a fictional company named PrimeOne is used. Based on PrimeOne, the development of a certificate issuing process for the device is demonstrated.

The following steps outline how to issue device certificates at the time of production:

You will get a detailed overview of how to design a certificate issuing process to enable certificates to be requested and inserted within a production process and get an understanding of using pre-configured CA profiles within the IdAM to model the process flow.

PrimeKey EJBCA Cloud AWS is used as PKI Service in combination with the Identity Authority Manager (IdAM) to show how to implement the device certificate creation process from the conception phase, specification phase, to the implementation.

The provided specifications and rule-sets Sequence Diagram and Interface Specification are to be used as examples when using this guide and are only for demonstration purposes.

This guide assumes that the trust service is up and running and that it is configured with all the certificates profiles and interfaces required for this project.

Next, for information on the Certificate Profiles configured in EJBCA Enterprise at the Trust Service, see Trust Service Definition and Certificate Profiles.