Terminology

Identity & configuration terms

Component handle: A specific device or piece of a system. In the Guardian ecosystem, a component is defined by a human-readable name, the certificates and keys it provides, and the operations it can perform.

Hardware ID: A unique identifier to the specific instance of a component, commonly set to the device's serial number. The same hardware ID is used throughout the lifetime of the component, including through any reprovision operations.

System: A grouping of components, also known as a system definition. All provisioning requests for components in this system will either go through a manual or automatic approval, depending on your system setting.

Process terms:

Approval workflows

  • Automatic approval: System setting where provisioning requests are processed automatically without human intervention.

  • Manual approval: System setting where provisioning requests require human review and approval before processing.

Device provisioning

Provisioning: The process of securely establishing device identity and configuring cryptographic credentials for secure communication.

Reprovisioning: Updating an already-provisioned device with new certificates or configuration while maintaining the same hardware identity.

Provisioning methods

  • Connected provisioning: Provisioning workflow for devices with network connectivity that can communicate directly with Guardian Cloud.

  • Disconnected provisioning: Provisioning workflow for devices without network connectivity where provisioning requests must be manually transferred via files.

  • Proxy provisioning: Using a connected device to handle provisioning requests for disconnected devices that cannot communicate directly with Guardian Cloud.

Cryptography & security terms

Certificate Authority (CA): The trusted entity that issues digital certificates. In Guardian deployments, Guardian Cloud can serve as a CA, though Guardian also works with other certificate authorities.

Certificate Revocation List (CRL): A list of certificates that have been revoked before their expiration date and should no longer be trusted.

Certificate Signing Request (CSR): A standardized message containing a device's public key and identity information, sent to Guardian Cloud to request a digital certificate.

PKI (Public Key Infrastructure): The cryptographic framework that Guardian uses to establish and maintain secure digital identities through certificates and keys.

Trust anchor: The foundational certificates used to validate other certificates in the system. Stored in the TrustStore file.

Guardian Platform terms

Platform components:

  • Guardian Cloud: Cloud-based platform that processes certificate requests, enrolls devices into trust hierarchies, and generates certificates.

  • Guardian Library: Software library that runs on your devices to parse configuration profiles, request certificates from Guardian Cloud, and enable cryptographic functions.

Guardian file types and extensions

Guardian uses several file types with specific extensions during the provisioning process:

Provision Request: File used for transmitting information including public keys to the Guardian Cloud backend. This contains the Certificate Signing Requests (CSRs) sent to Guardian Cloud. Extension: .mcpr

TrustStore: Trust anchors for the Guardian platform. Extension: .mcts

Profile files:

  1. Certified Profile to be Provisioned: Signed instructions and configuration for the Guardian library and provisioning operations. This is the initial profile template for this device type created during the provisioning process. Extension: .mcpp

  2. Certified Profile: Signed instructions and configuration for the Guardian library run and reprovisioning operations. This is the final device profile created during the provisioning process. Extension: .mcp

Identity files:

  1. Private Identity to be Provisioned: Key material for initial provisioning operations and connections. This is the initial private identity template. Extension: .mcpip

  2. Private Identity: Key material for reprovisioning and run operations and connections. This is the final private identity file, which contains the private keys that stay on the device. Extension: .mcpi

Last updated

Was this helpful?