Every connected device is a potential attack vector. Digital certificates give machines a cryptographic identity, enabling them to authenticate, encrypt communications, and prove their integrity without human intervention.
There are now far more machines connected to the internet than people. Industrial sensors on factory floors, medical devices in hospitals, smart meters in utility networks, connected vehicles on highways, surveillance cameras in cities. The number of IoT devices worldwide is projected to exceed 30 billion by 2030. Each one of these devices needs a machine identity.
Without a verifiable identity, a device cannot prove that it's genuine hardware from a legitimate manufacturer, that its firmware hasn't been tampered with, or that the data it sends can be trusted. Hardcoded passwords and shared API keys, still disturbingly common in IoT, are trivially easy to extract, clone, or brute-force. Once one device is compromised, the same credentials often grant access to every device in the fleet.
Digital certificates solve this by giving each device a unique, cryptographically bound identity. Issued by a trusted Certificate Authority, a device certificate contains the device's public key and identifying information (its serial number, model, manufacturer, or any attribute that distinguishes it). The corresponding private key is stored in the device's secure element or TPM, ensuring it can't be extracted or cloned.
The ideal time to provision a device certificate is during manufacturing, when the device's secure element or TPM generates a key pair and the public key is sent to the CA for certification. This birth certificate, sometimes called an Initial Device Identifier (IDevID), is baked into the device before it ever ships. It provides a root of trust that persists for the device's entire lifetime, regardless of where it's deployed or who owns it.
Certificates expire, and device certificates are no exception. A smart meter installed for a 20-year deployment will need its operational certificates renewed multiple times. This must happen automatically, without a technician visiting the device. The device uses its current valid certificate (or its IDevID as a bootstrap credential) to authenticate to the CA and request a new certificate through enrollment protocols like EST or CMP.
When a device reaches end of life, is sold, or is compromised, its certificates must be revoked to prevent further use. This is especially important in industrial environments where decommissioned devices might be resold or repurposed. A revoked certificate ensures the device can no longer authenticate to any system that checks revocation status, effectively disconnecting it from the trusted network.
Enrollment over Secure Transport is the modern standard for device certificate enrollment. It runs over HTTPS, supports certificate-based and username/password authentication for the initial request, and handles re-enrollment natively. EST is the recommended protocol for new deployments and is widely supported by modern IoT platforms and PKI solutions.
Simple Certificate Enrollment Protocol has been the workhorse of device enrollment for over two decades. Originally developed by Cisco, it uses HTTP and a challenge password for initial authentication. While showing its age (it lacks native TLS protection and has limited renewal capabilities), SCEP remains essential because millions of deployed devices and MDM platforms depend on it.
Certificate Management Protocol is a comprehensive protocol that covers the entire certificate lifecycle, from initial request through updates, revocation, and key recovery. It's particularly prevalent in telecom and industrial environments. CMP supports complex PKI topologies with Registration Authorities and is mandated by several industry standards including 3GPP for mobile networks.
While best known for web server certificates (via Let's Encrypt), ACME is increasingly being adopted for device enrollment in cloud-native IoT platforms. Its automation-first design and widespread tooling support make it attractive for environments where devices are managed through modern DevOps practices.
High-throughput PKI for IoT — Evertrust PKI is built to handle the enrollment volumes that IoT demands. Whether you're provisioning certificates during a manufacturing run or renewing millions of device certificates in the field, the platform scales to meet your throughput requirements via EST, SCEP, CMP, and ACME.
Complete device inventory — Evertrust CLM maintains a real-time inventory of every device certificate across your fleet. Discovery scans find certificates you didn't know existed, while dashboards show expiration timelines, compliance status, and algorithm distribution at a glance.
Protocol flexibility — Not all devices speak the same protocol. Evertrust supports EST, SCEP, CMP, and ACME simultaneously, so legacy devices and modern platforms can coexist under a single certificate management infrastructure without compromise.
Policy enforcement at scale — Define certificate templates that enforce key algorithms, validity periods, and naming conventions specific to each device type. Evertrust ensures every issued certificate complies with your organizational policies and industry standards, from PKI architecture requirements to IEC 62443 mandates.
