3.2.3.1 Creating a Device Certificate
When DRM is initialized on the device, a unique device certificate with a unique device key pair MUST be created for that specific device:
The device creates a unique public-private device key pair.
The device creates a unique device certificate with the following stored in the device certificate:
The device public key is stored in the device certificate.
The device private key is encrypted with a hash of the group private key, and then is stored in the device certificate.
The device certificate is stored on the device.
This sequence is initiated whenever DRM is started on the device. For example, DRM can be initialized when the device first starts, or the first time a computer tries to transfer protected content (1) to the device.
The following diagram shows how a device certificate and a device key pair are created when the device is initialized.

Figure 1: Initialized Device Certificate