What Are Device Certificates in SPDM?
In the SPDM (Security Protocol and Data Model) framework defined by the DMTF, device certificates are X.509 certificates that establish the identity of a hardware component, such as a Root of Trust or a secure device module. They are installed directly onto hardware entities such as network cards, baseboard management controllers (BMCs), TPMs (Trusted Platform Modules), or secure firmware components.
The primary function of these device certificates is to enable device authentication during SPDM handshakes. When one device wants to establish a secure connection with another, it requests the peer’s certificate. This allows the requesting device to verify the identity of the other by validating the certificate’s digital signature and checking its issuer against a trusted certificate authority.
Beyond simple authentication, these certificates are also essential for establishing trust chains. A typical certificate presented by a device is not standalone it is part of a chain of trust that extends back to a known and trusted Root Certificate Authority (CA). This hierarchy ensures that if Root CA is trusted, then the device’s certificate can also be trusted, provided the entire chain is intact and valid.
Additionally, SPDM uses these certificates to support asymmetric cryptography for secure session establishment. Once identities are verified, the devices use public-private key pairs to agree on encryption keys, enabling confidential and tamper-proof communication. Algorithms like ECDSA or RSA are used to sign and verify messages as part of this process, ensuring the integrity and authenticity of the data being exchanged.
In practice, SPDM-compliant device certificates are issued to specific components that form the security backbone of a platform. These include the Root of Trust for Measurement (RTM), which initiates secure boot processes, and other components like firmware, TPMs, or NICs that participate in attestation and secure communication. These certificates bind cryptographic keys to physical hardware, enabling trusted operations across the system.
Cryptograhic Requirements in SPDM
This section explains the detailed cryptographic and certificate requirements in SPDM as per DSP0274 v1.3.0. Each requirement, such as certificate format, key algorithms, signature schemes, and validation rules, etc.
-
X.509 Certificate Format Requirement
SPDM mandates that all device certificates must be in X.509 version 3 format, encoded in DER (Distinguished Encoding Rules). This ensures that the certificates are structured in a globally recognized and parse-able format. X.509 v3 allows the inclusion of critical extensions like Subject Key Identifier (SKI) and Authority Key Identifier (AKI), which are vital for building and validating trust chains in SPDM communication.
-
Certificate Chain Structure
The certificate chain used in SPDM must follow a strict order, beginning with the leaf certificate (device certificate), followed by one or more intermediate certificates, and ending with a Root Certificate Authority (CA) certificate. The responder device sends this chain during the GET_CERTIFICATE SPDM command. The requester validates the chain by checking digital signatures step by step, from the leaf up to Root CA, which it must already trust. This structure ensures that every device’s identity can be traced back to a trusted origin.
-
Key Usage and Extensions
The leaf certificate (i.e., the device certificate) must include the Key Usage extension with the digitalSignature bit set. This explicitly authorizes the certificate holder to perform digital signatures — a critical function during the SPDM challenge-response authentication. Furthermore, both the device and intermediate certificates must include the Subject Key Identifier (SKI) and Authority Key Identifier (AKI) extensions. These extensions help link each certificate to its issuer and are essential for automated chain validation.
-
Allowed Public Key Algorithms
SPDM supports public key cryptography using both Elliptic Curve Cryptography (ECC) and RSA, but with strict limitations to ensure strong security. For ECC, SPDM allows curves such as secp256r1, secp384r1, and secp521r1. These curves are chosen for their balance between security and performance, especially in embedded or low-power hardware. For RSA, SPDM requires that the key length be at least 2048 bits, and that the RSA keys be used with RSASSA-PSS padding, which provides stronger resistance to signature forgery than older PKCS#1 v1.5 padding.
-
Approved Signature Algorithms
When a certificate signs another certificate (e.g., intermediate signing leaf, root signing intermediate), or when a device signs a challenge during authentication, the signature algorithm must be among those approved by SPDM. This includes ECDSA (Elliptic Curve Digital Signature Algorithm) for ECC-based certificates and RSASSA-PSS for RSA-based certificates. These signature schemes are selected for their widespread standardization, cryptographic strength, and compatibility with modern cryptographic libraries.
-
Hash Functions Used
SPDM relies on secure hash algorithms to support both signature generation and verification, as well as for creating transcript hashes used during session establishment. The accepted hash algorithms in SPDM are SHA-256, SHA-384, and SHA-512. The specific algorithm to be used is negotiated between the requester and responder during capability exchange. Weaker hash functions like SHA-1 are explicitly disallowed due to known vulnerabilities. The choice of hash function also determines which signature algorithm variant is used (e.g., ECDSA with SHA-384).
-
Size and Encoding Constraints
To avoid large payloads during SPDM message exchanges, certificate chains must comply with size constraints negotiated during the session setup. For instance, a requester might limit the maximum size of the certificate chain or maximum number of intermediate certificates it can accept. All certificates must also be encoded in DER (binary) format, as opposed to PEM (base64), to comply with SPDM transport and parsing rules.
-
Private Key Requirements
While SPDM doesn’t directly enforce how private keys are generated or stored, it implicitly expects that each device must securely generate and store its private key in a way that prevents extraction or tampering. This is crucial because the CHALLENGE_AUTH command in SPDM requires the device to sign a random nonce with its private key. If an attacker could gain access to that key, they could impersonate the device. Thus, use of TPMs, secure elements, or HSM-backed PKIaaS issuance is recommended for key generation and storage.
-
Cryptographic Capability Negotiation
Before SPDM communication begins, the requester and responder exchange their supported cryptographic capabilities via messages like NEGOTIATE_ALGORITHMS. This includes their preferred public key algorithms, hash functions, and measurement summary hash types. Only mutually supported combinations are used during the rest of the session. This dynamic negotiation makes SPDM flexible, yet ensures that only strong and standardized crypto is used.
Role of PKIaaS in SPDM Device Certificates
PKIaaS issues device certificates following the X.509 standards in a way that aligns with SPDM requirements. This includes using the right cryptographic algorithms (like ECC and RSA), the correct key sizes, and proper certificate formats and extensions (like Subject Key Identifier, Basic Constraints, and Authority Information Access). By doing so, it ensures that every device’s certificate is recognized, trusted, and verified during SPDM authentication flows.
PKIaaS not only generates and signs these certificates, but also takes care of their renewal, revocation, and policy enforcement over time. This is crucial because many SPDM-enabled devices have long life cycles, such as servers and embedded systems, and their certificates need to remain valid, secure, and compliant without human intervention. PKIaaS provides secure interfaces and supports protocols for certificate issuance, such as SCEP (Simple Certificate Enrollment Protocol), EST (Enrollment over Secure Transport), ACME (Automatic Certificate Management Environment) or Custom REST APIs, these allow devices or provisioning tools to programmatically request and install device certificates.
Through PKIaaS, every device such as a TPM (Trusted Platform Module), a BMC, or a NIC (Network Interface Card) receives a unique, verifiable digital identity. This identity is used during SPDM interactions to prove that the device is genuine, uncompromised, and allowed to participate in the system. It enables a zero-trust model, where each device must prove its trustworthiness before any secure communication or action can take place.
In short, PKIaaS ensures that SPDM-based security works reliably and at scale, by delivering the digital trust foundation needed for device-to-device authentication and encrypted communication in modern computing platforms.
PKIaaS workflow to support SPDM
Let’s breakdown the workflow of PKIaas starting from requesting to obtaining the decice certificate:
-
CA Setup
PKIaaS hosts a Root Certificate Authority (CA) and one or more Intermediate CAs, often backed by HSMs (Hardware Security Modules). These are responsible for issuing certificates securely.
-
Key Generation and CSR
Each device generates its own private-public key pair and creates a Certificate Signing Request (CSR) containing its public key and unique identifiers like serial number or device ID.
-
Certificate Issuance
The CSR is sent to PKIaaS using a secure protocol like EST, SCEP, or ACME. PKIaaS validates the request and issues a signed X.509 certificate with the exact format, extensions, and algorithms required by SPDM for authentication. This certificate complies with SPDM requirements (e.g., using ECC, including required X.509 extensions).
-
Certificate Installation
The device stores the signed certificate in its secure storage (such as flash memory or a TPM). It will later use this certificate in SPDM handshakes.
-
Authentication During SPDM Communication
During SPDM authentication, the device presents this certificate to prove its identity. The peer verifies the certificate chain using the Root CA provided by PKIaaS and confirms authenticity by checking a cryptographic signature.
-
Lifecycle Management
PKIaaS monitors the validity period of issued certificates, automatically renews them when they are close to expiration, and revokes any that are compromised. It also maintains audit logs for compliance and monitoring.
Benefits of Utilizing PKIaaS for SPDM
This section highlights how PKIaaS enhances the implementation of SPDM by simplifying certificate management and enforcing cryptographic compliance. It outlines key benefits such as scalability, automation, and secure device authentication across large hardware environments.
-
Automated Certificate Lifecycle Management
PKIaaS automates the issuance, renewal, and revocation of SPDM-compliant certificates. This reduces manual intervention, eliminates the risk of expired or misconfigured certificates, and ensures that secure communication can be maintained over a device’s entire lifecycle.
-
Scalability for Large Device Fleets
SPDM is commonly used in environments with thousands of devices (servers, NICs, BMCs, etc.). PKIaaS provides the infrastructure to scale certificate operations securely and efficiently across all devices, even during manufacturing or deployment at scale.
-
Consistent Compliance with SPDM Standards
PKIaaS enforces cryptographic profiles, key usages, and certificate extensions (like SKI, AKI) in line with SPDM specifications (Sections 6.1 and 6.2). This ensures all issued certificates are valid for use during SPDM authentication and validation flows.
-
Integration with Secure Hardware Modules
PKIaaS can be integrated with HSMs, TPMs, and RoTs to issue certificates without exposing private keys. This aligns with SPDM’s design for tamper-resistant identity and secure boot validation.
-
Support for Future Crypto Migration (e.g., PQC)
As SPDM evolves to adopt post-quantum cryptography (PQC), PKIaaS platforms can support hybrid or PQC algorithms, offering crypto agility without re-architecting the security framework.
-
Policy Enforcement and Auditing
With built-in access controls, audit logs, and policy enforcement mechanisms, PKIaaS enables traceability and compliance, important for regulated industries deploying SPDM in critical infrastructure.
How can Encryption Consulting help?
Encryption Consulting (EC) provides the strategic, technical, and operational expertise required to plan, build, and manage a secure, scalable, and compliant PKIaaS platform. With deep domain experience in cryptographic infrastructure, Encryption Consulting helps enterprises at every stage of their PKIaaS journey, from architecture design to implementation, automation, and lifecycle governance.
- CA Management: Deploy and maintain a highly available and compliant CA infrastructure to support diverse security needs. Handle certificate issuance, renewal, and revocation for all certificate types. Maintain strict security controls and industry compliance, including GDPR, eIDAS, and FIPS 140-3, while providing redundancy and high availability.
- Policy Management: Define and enforce certificate policies, validity periods, and key usage rules across your organization. Ensure alignment with security frameworks by automating policy enforcement. Implement customizable certificate profiles with strict access controls.
- Automated Enrollment: Enable seamless certificate requests and installations through automated enrollment protocols. Support SCEP, EST, and ACME for streamlined certificate issuance and renewal. Ensure secure, policy-driven enrolment with enterprise identity and access management.
Conclusion
In conclusion, integrating PKIaaS with SPDM offers a foundation for secure, scalable, and standards-compliant device authentication across modern hardware platforms. By automating certificate lifecycle management and enforcing cryptographic policies aligned with SPDM specifications, PKIaaS not only simplifies deployment at scale but also strengthens the overall trust framework essential for platform integrity and secure boot mechanism.
