Configuring ACME Certificates

Managed Device Attestation ensures that only legitimate devices can connect to your servers. If attestation is enabled, your device can request a client certificate from an Automated Certificate Management Environment (ACME) server.

The device generates an asymmetric key pair based on the KeyType, KeySize, and HardwareBound fields. If attest is true, the device requests an attestation of the key and device properties. The ACME server authenticates the device, provide the attestation, and requests a matching certificate based on the ClientIdentifier, Subject, SubjectAltName, KeyUsage, and ExtendedKeyUsage fields. When the ACME server issues a certificate, the device installs it in the keychain. Other payloads can use PayloadUUID to reference the resulting client identity.

To request a client certificate from an ACME server, navigate to Configurations > Add New > Certificate Enrollment > ACME > New ACME configuration. The new configuration is found in the Certificate Enrollment.

Figure 1. New ACME configuration