Automated Certificate Management

Managed PKI services from companies like Sectigo have revolutionized the cost and complexity of digital certificate infrastructure. Many of these services now include support for smaller, lightweight, IoT style certificates to help deliver stronger security to a wider range of devices.

In order to take full advantage of these services while addressing the challenges of deploying and managing PKI at IoT scale, our Secure Credential Management solution directly integrates with leading PKI providers like Sectigo to securely automate certificate provisioning, revocation, and renewal processes. 

Most importantly, our solution creates a direct, authenticated, policy-enforced binding between devices and the credentials that are assigned to them.  This prevents the use of certificates and keys from unauthorized devices.

Key features of our Automated Certificate Management module:

Secure Storage

To prevent theft of certificates and unauthorized usage, the DA agent stores the certificate and associated key pair in an encrypted state. The Agent will make decryption available only to authorized applications defined in the credential provisioning policy on the KeyScaler server.

Internal PKI generation

KeyScaler now provides the ability for customers to generate their own internal private root certificate authority and key, to enable provisioning of self-signed certificates to devices and the AWS IoT service.


  • Enhanced security for storing device keys, even without hardware support; in the absence of TPM or secure element
  • Provides network access to your trusted users and devices.
  • Prevents certificate and key theft, cloning, impersonation and spoofing
  • Helps protect apps and data from malware and hijacking.
  • Customers can take control of their own security posture
  • Instant private PKI deployment for use-cases that benefit from self-signed certificates, for example video surveillance cameras

Automated Password Management

Device Authority’s KeyScaler platform has unique Automated Password Management (APM) technology at its heart and effectively removes the associated human risk of manually updating credentials at scale.

Cyber criminals and attackers are increasingly exploiting weaknesses in IoT device identities.  Manufacturer set default passwords which remain unchanged, are proving to be the Holy Grail for hackers. According to Verizon DBIR, 63% of security incidents were related to weak credentials and this attack vector has proven responsible for the recent Mirai and BrickerBot attacks.

Our KeyScaler platform has unique Automated Password Management (APM) technology at its heart and effectively removes the associated human risk of manually updating credentials at scale.

The APM element automatically sets and manages local account passwords from manufacturer default on devices. Password rotation policies are enforced which dramatically reduces the attack surface of using static passwords.

Watch a video demonstrating Automated Password Management to Axis Cameras.

Key benefits

  • Prevent IoT devices participating in cyber attacks
  • Increases operational efficiencies through automation
  • Reduces IT overhead through central control of policy
  • Ensures compliance through central management

Token Authentication

Device security operations

KeyScaler platform architecture includes a tokenized security model similar to OAuth but fine-tuned for IoT security operations. Known as Delegated Security Management (DSM), it is a delivery model for enforcing policy-driven device security operations that the KeyScaler platform has incorporated. DSM provides device makers and IoT applications with a turnkey, plug-and-play IoT security suite that is easy to deploy, easy to manage, and provides policy-driven automation for scalability. A huge advantage of DSM is that it does not require direct integration with the backend application.

Easy integration with IoT platforms for certificate management, device updates, password management and device identity checks

KeyScaler provides a tokenized authentication model for easily integrating secure and dynamic device authentication into new and existing IoT platforms (such as PTC’s ThingWorx platform), using standardized public key signatures. The solution works by having the device authenticate directly to KeyScaler first to receive an ephemeral, signed authentication token. As this connection is out-of-band, it helps avoid a single-point of compromise in the IoT platform.

As part of this delivery model, IoT platforms can delegate key security operations to the KeyScaler platform, such as enforcing certificate management policies, applying device updates, password management, and device identity validation checks. These operations are enforced before an authentication token is issued to the device, to ensure that the device complies with critical security policies before it can connect to the IoT platform.

Device Authority has published an authentication extension in the PTC Marketplace that allows ThingWorx customers to leverage this strong authentication in their existing ThingWorx installation.

Have a Question?

Interested in learning more about how our credential management solutions can help you and your team? Schedule a 20-minute, online meeting with an IoT security specialist to discuss your individual requirements.