Mistake on this page? Email us

Managing trusted certificates in Device Management

When your devices connect to Device Management, Device Management needs to trust the certificate authority (CA) certificate that issued the device certificate, or one of the CAs in the device certificate chain of trust.

You can manage the trusted certificates in your Device Management account using an API or from Device Management Portal:

If you have commercial account, you can manage your trusted certificates by default. If you do not have a commercial account and you would like to use the certificate management functionality, please contact us.

Tip: A developer account can manage up to 10 trusted certificates (including developer certificates) at a time. A commercial account can manage up to 50. See Choosing your account type for more information about the other benefits of commercial accounts and how to upgrade a free account to a commercial account.

Uploading a CA certificate or certificate chain

When you upload a CA certificate to Device Management, all devices with a device certificate that was signed by the CA can connect to Device Management.

If you use the CA certificate that you upload to Device Management to sign other certificates, all devices with a device certificate that was signed by those certificates can also connect to Device Management.

In Portal: Uploading a CA certificate or certificate chain

To upload a certificate or certificate chain to your account through Device Management Portal:

  1. Log in to Device Management Portal for your region as an administrator:

  2. From the side menu, select Device identity > Certificates.

  3. Click New certificate and select Upload a certificate.

  4. Populate the Name and Description fields.

  5. Click Choose File and select your CA file.

  6. From the How will devices use this certificate? dropdown, select:

    • Credentials or Factory configurator utility - I can prove ownership of these credentials - Select this to upload a LwM2M or Bootstrap certificate if you provision device certificates in your factory. For more information about using LwM2M or Bootstrap credentials, see Device onboarding and connection options.
    • Enrollment - I received this certificate from the device manufacturer or a supplier - Select this if you purchased pre-provisioned devices and the device manufacturer or a supplier provided you with a CA certificate. This method of claiming device ownership is called first-to-claim.
    • Third party CA - I cannot prove ownership of these credentials - Select this to upload the third-party CA certificate that issues your LwM2M device certificates. For more information, see Integrating with a third-party CA.
  7. Click Upload certificate.

Using the API: Uploading a CA certificate or certificate chain


Use the /v3/trusted-certificates POST API to upload certificates and certificate chains in Device Management.

The /v3/trusted-certificates API has the following parameters:

  • name: Mandatory.
  • description: Optional.
  • cert_data: A certificate chain consisting of concatenated PEM files. Mandatory.
  • service: Bootstrap or LwM2M. To bypass the bootstrapping, set the value to lwm2m. Mandatory.

Note: You must upload the full chain of your trusted CA certificate, including the root and all intermediate certificates, up to your trusted CA. Device Management also supports self-signed certificates, which are handled as a chain of size 1. The certificates must be in PEM format and concatenated. Your device certificate must not be part of your uploaded certificate chain.

Deleting a CA certificate

When you delete a bootstrap certificate from Device Management, devices that have the deleted certificate in their chain of trust can no longer bootstrap using the deleted certificate; however, they might still be able to bootstrap using a different certificate in their chain of trust. They can also continue to connect to Device Management as long as their LwM2M credentials are still valid.

For more information about the use of bootstrap and LwM2M in Device Management, see device onboarding and connection options.

You can also blacklist or disable a certificate. Devices that have the disabled certificate in their chain of trust can no longer bootstrap and they cannot connect to Device Management using their LwM2M credentials.

In Portal: Deleting a CA certificate

To delete a certificate from your account through Device Management Portal:

  1. Log in to Device Management Portal for your region as an administrator:

  2. From the side menu, select Device identity > Certificates.

  3. From the list of certificates, select the certificate that you want to blacklist. This opens a pane on the right-hand side with the details of the selected certificate.

  4. Click the Delete button (Delete button). This opens the Delete bootstrap certificate window.

  5. Click Delete certificate.

Using the API: Deleting a CA certificate


Use the /v3/trusted-certificates/{cert_id} DELETE API to delete certificates and certificate chains in Device Management.

Use GET /v3/trusted-certificates to retrieve the cert_id.

Blacklisting a bootstrap certificate

Blacklisting a bootstrap certificate blocks all new devices that hold the certificate in their chain of trust from connecting to Device Management. Devices that have already onboarded to Pelion Device Management can continue operation normally.

You can also choose to suspend devices that are already onboarded. If you choose this option, blacklisting a certificate from the Device Management portal automatically suspends devices that have already registered using that certificate. However, automatic suspension of devices as part of certificate blacklisting is only a proof of concept and needs to be enabled separately for your account. Contact support for more information.

Note: When you delete a bootstrap certificate from Device Management, devices that have the deleted certificate in their chain of trust can no longer bootstrap using the deleted certificate; however, they may still be able to bootstrap using a different certificate in their chain of trust. They can also continue to connect to Device Management as long as their LwM2M credentials are valid. When you blacklist a certificate, devices with a disabled certificate in their chain of trust can no longer bootstrap and cannot connect to Device Management using their LwM2M credentials. For more information about the use of bootstrap and LwM2M in Device Management, see device onboarding and connection options.

In Portal: Blacklisting a bootstrap certificate

To blacklist (inactivate) a certificate:

  1. Log in to Device Management Portal for your region as an administrator:

  2. From the side menu, select Device identity > Certificates.

  3. From the list of certificates, select the certificate that you want to blacklist. This opens a pane on the right-hand side with the details of the selected certificate.

  4. Click Blacklist. This opens the Blacklist a trusted certificate window.

  5. Click Blacklist certificate. You can see that the status of the certificate is now Inactive.

To enable (activate) a blacklisted certificate:

  1. Log in to Device Management Portal for your region as an administrator:

  2. From the side menu, select Device identity > Certificates.

  3. From the list of certificates, select the certificate that you want to blacklist. This opens a pane on the right-hand side with the details of the selected certificate.

  4. Click Enable. This opens the Activate a trusted certificate window.

  5. Click Activate certificate. You can see that the status of the certificate is now Active.

Using the API: Blacklisting a bootstrap certificate


Use /v3/trusted-certificates/{cert_id} PUT API to blacklist or enable a blacklisted certificate by changing the certificate's status.

For example:

curl -X PUT https://api.us-east-1.mbedcloud.com/v3/trusted-certificates/{cert_id} \
-H 'Authorization: Bearer <access_key>' \
-H 'content-type: application/json' \
-d  {"status": "INACTIVE"}