Credentials - Architecture¶
Overview¶
The CredentialModel is the central abstraction for managing certificates and private keys in Trustpoint. It supports multiple credential types (TLS Server, Root CA, Issuing CA, Issued Credentials, DevOwnerID, Signer) and can store keys either directly in the database or in hardware security modules (HSM) via PKCS#11.
The credential architecture manages the lifecycle from issuance through validation, storage, and deployment to devices.
CredentialModel Types¶
The CredentialTypeChoice enum defines the purpose and restrictions of each credential:
Type |
Purpose |
|---|---|
TRUSTPOINT_TLS_SERVER |
Trustpoint’s own TLS server certificate for HTTPS |
ROOT_CA |
Root certificate authority (self-signed, trusted anchor) |
ISSUING_CA |
Intermediate issuing CA (signed by root, issues device credentials) |
ISSUED_CREDENTIAL |
Device credentials issued by Trustpoint (LDevID, application certificates) |
DEV_OWNER_ID |
Device Owner ID certificates (see Automated Onboarding Key Infrastructure (AOKI)) |
SIGNER |
Signing authority for hash-and-sign operations |
Core Storage Model¶
CredentialModel stores:
Field |
Purpose |
|---|---|
credential_type |
One of the CredentialTypeChoice values above |
private_key (PEM) |
Encrypted private key stored in database (for software keys) |
pkcs11_private_key |
Reference to private key in HSM/token (for PKCS#11 keys) |
certificate |
Primary certificate (ForeignKey to CertificateModel) |
certificates |
All certificates in the credential (ManyToMany via PrimaryCredentialCertificate) |
certificate_chain |
Ordered chain of issuing CA certificates (ManyToMany via CertificateChainOrderModel) |
Primary Certificate vs Certificate Chain¶
Each credential has a primary certificate (the leaf/end-entity certificate) and an optional certificate chain (issuing CA certificates up the trust path):
The primary certificate (certificate field) is the credential’s active end-entity certificate. When a new certificate is issued or renewed, it becomes the new primary, and the old one is retained for revocation handling.
The certificate chain preserves issuing CA certificates in order, enabling certificate chain construction for protocols like EST (which require the full chain in PKCS#7 format).
IssuedCredentialModel - Device Credentials¶
The IssuedCredentialModel bridges credentials to devices. It represents a credential issued to a specific device within a specific domain:
class IssuedCredentialModel(models.Model):
# Link to the credential (OneToOne)
credential = OneToOneField(CredentialModel)
# Link to the device (ForeignKey)
device = ForeignKey(DeviceModel)
# Link to the domain
domain = ForeignKey(DomainModel)
# Metadata
common_name: str
issued_credential_type: DOMAIN_CREDENTIAL | APPLICATION_CREDENTIAL
issued_using_cert_profile: str
created_at: DateTimeField
Credential Types - IssuedCredentialModel¶
- DOMAIN_CREDENTIAL
The device’s identity credential (LDevID) used to authenticate and enroll for application credentials. Typically the first credential issued during device onboarding. Used for EST client-certificate authentication or CMP authentication.
- APPLICATION_CREDENTIAL
Operational credentials for specific use cases (TLS Client, TLS Server, OPC UA). Issued after device authentication with a domain credential. Multiple application credentials can be issued to the same device.
Lifecycle: From Issuance to Deployment¶
Credential Issuance → Certificate is generated/signed by the issuing CA
Database Storage →
CredentialModelcreated with primary certificateIssued Credential Record →
IssuedCredentialModellinks credential to device/domainDevice Retrieval → Device downloads credential via EST, CMP, or manual download
Renewal/Rekeying → New certificate becomes primary, old retained for transition
Revocation → Certificate marked as revoked in CRL, old credentials cleaned up
PrimaryCredentialCertificate - Chain Management¶
The PrimaryCredentialCertificate model manages which certificates belong to a credential:
One credential can have multiple certificates (e.g., during renewal)
The primary flag identifies the active/current certificate
When a new certificate is added, it automatically becomes primary
Old certificates are retained for validation of client certificates during transitions
CertificateChainOrderModel - CA Chain Ordering¶
The CertificateChainOrderModel preserves the order of issuing CA certificates:
Ordered as: leaf certificate → intermediate CAs → root CA
Required for EST /cacerts responses (PKCS#7 chain format)
Prevents ambiguity when multiple possible chains exist
Credential Validation¶
CredentialModel provides validation methods:
- is_valid_issued_credential()
Checks if credential meets requirements for deployment: - Type must be ISSUED_CREDENTIAL - Primary certificate must exist - Primary certificate status must be OK (not expired, revoked, etc.)
- IssuedCredentialModel.is_valid_domain_credential()
Checks if a domain credential is valid for issuing application credentials: - Must be DOMAIN_CREDENTIAL type - Underlying credential must pass
is_valid_issued_credential()- Certificate must be OK status
Private Key Storage Options¶
- Database Storage (Software Keys)
Private key stored as encrypted PEM in
private_keyfieldFast, suitable for CA credentials
Encrypted using Trustpoint’s key encryption mechanism
- HSM/PKCS#11 Storage
Private key stored in hardware security module (TPM, SoftHSM, etc.)
pkcs11_private_keyfield references thePKCS11KeymodelHigher security for sensitive credentials
Requires HSM configuration and PIN management
The PKCS11Key model stores references:
class PKCS11Key(models.Model):
token_label: str # HSM token identifier
key_label: str # Key identifier within token
key_type: RSA | EC | AES
created_at: DateTimeField
For request pipeline details and component architecture, see ../workflow.