DevID Certificates

DevID certificates are specified by IEEE802.1AR specification. LDevIDs are Local DevID certificates. Version 3 HIRS Attestation Certificate Authority (ACA) added a "Generate LDeVID Certificate" policy that will, when enabled via the ACA Portal policy page, generate a local IDevID certificate upon successful validation as part of the provisioning process. This has several applications that may want to take advantage of the LDevID certificate:

• Zero trust implementations
• 802.1x EAP authentication
• Comply to Connect scenarios

When the LDevID policy on the ACA is selected the ACA will issue an LDevID certificate to the device signed by the ACA. The ACA will populate the Subject with the mapping

• CN=Manufacturer
• OU=Model
• SN=Serial Number

The ACA will meet the fields required by the TPM 2.0 Keys for Device Identity and Attestation specification.

Note that DevIDs are guaranteed to be unique and may contain a serial number, but may not contain expected information about a device (e.g. Manufacturer Model). Unlike Platform Certificates IDevID certificates do not contain any attributes or component listing of the device.

The LDevID is signed by the ACA. The ACA Certificate chain used to validate the signature of either the LDeiVID Certificate or Attestation Certificate can be downloaded from the ACA portal's Trust Management page via the down arrow next to the "HIRS Attestation CA Certificate" label.