diff --git a/libwvdrmengine/cdm/core/src/license_protocol.proto b/libwvdrmengine/cdm/core/src/license_protocol.proto
index d2164e22..b5d0b3cc 100644
--- a/libwvdrmengine/cdm/core/src/license_protocol.proto
+++ b/libwvdrmengine/cdm/core/src/license_protocol.proto
@@ -758,13 +758,44 @@ message EncryptedClientIdentification {
 }
 
 // ----------------------------------------------------------------------------
-// device_certificate.proto
+// Source of truth: drm_certificate.proto
+// Formally: device_certificate.proto (of wv_drm_sdk)
 // ----------------------------------------------------------------------------
 // Description of section:
 //   Device certificate and certificate status list format definitions.
 
+message RootOfTrustId {
+  // The version specifies the EC algorithm that was used to generate the
+  // root of trust id.
+  enum RootOfTrustIdVersion {
+    // Should not be used.
+    ROOT_OF_TRUST_ID_VERSION_UNSPECIFIED = 0;
+    // Version 1 of the ID uses EC-IES with SECP256R1 curve.
+    ROOT_OF_TRUST_ID_VERSION_1 = 1;
+  }
+  optional RootOfTrustIdVersion version = 1;
+  // The key_id is used for key rotation. It indicates which key was used to
+  // generate the root of trust id.
+  optional uint32 key_id = 2;
+
+  // The EC-IES encrypted message containing the unique_id. The bytes are
+  // a concatenation of
+  //    1) The ephemeral public key. Uncompressed keypoint format per X9.62.
+  //    2) The plaintext encrypted with the derived AES key using AES CBC,
+  //       PKCS7 padding and a zerio iv.
+  //    3) The HMAC SHA256 of the cipher text.
+  optional bytes encrypted_unique_id = 3;
+
+  // The hash of encrypted unique id and other values.
+  // unique_id_hash = SHA256(
+  //   encrypted_unique_id || system_id || SHA256(unique_id || secret_sauce)).
+  optional bytes unique_id_hash = 4;
+}
+
 // DRM certificate definition for user devices, intermediate, service, and root
 // certificates.
+// DrmDeviceCertificate tracks the provisioning service's DrmCertificate,
+// only including fields that are required by CDM devices.
 message DrmDeviceCertificate {
   enum CertificateType {
     ROOT = 0;
@@ -773,6 +804,31 @@ message DrmDeviceCertificate {
     SERVICE = 3;
     PROVISIONER = 4;
   }
+  enum ServiceType {
+    UNKNOWN_SERVICE_TYPE = 0;
+    LICENSE_SERVER_SDK = 1;
+    LICENSE_SERVER_PROXY_SDK = 2;
+    PROVISIONING_SDK = 3;
+    CAS_PROXY_SDK = 4;
+  }
+  enum Algorithm {
+    UNKNOWN_ALGORITHM = 0;
+    RSA = 1;
+    ECC_SECP256R1 = 2;
+    ECC_SECP384R1 = 3;
+    ECC_SECP521R1 = 4;
+  }
+
+  message EncryptionKey {
+    // Device public key. PKCS#1 ASN.1 DER-encoded. Required.
+    optional bytes public_key = 1;
+    // Required. The algorithm field contains the curve used to create the
+    // |public_key| if algorithm is one of the ECC types.
+    // The |algorithm| is used for both to determine the if the certificate is
+    // ECC or RSA. The |algorithm| also specifies the parameters that were used
+    // to create |public_key| and are used to create an ephemeral session key.
+    optional Algorithm algorithm = 2 [default = RSA];
+  }
 
   // Type of certificate. Required.
   optional CertificateType type = 1;
@@ -793,6 +849,26 @@ message DrmDeviceCertificate {
   // Service identifier (web origin) for the provider which owns the
   // certificate. Required for service and provisioner certificates.
   optional string provider_id = 7;
+  // This field is used only when type = SERVICE to specify which SDK uses
+  // service certificate. This repeated field is treated as a set. A certificate
+  // may be used for the specified service SDK if the appropriate ServiceType
+  // is specified in this field.
+  repeated ServiceType service_types = 8;
+  // Required. The algorithm field contains the curve used to create the
+  // |public_key| if algorithm is one of the ECC types.
+  // The |algorithm| is used for both to determine the if the certificate is ECC
+  // or RSA. The |algorithm| also specifies the parameters that were used to
+  // create |public_key| and are used to create an ephemeral session key.
+  optional Algorithm algorithm = 9 [default = RSA];
+  // Optional. May be present in DEVICE certificate types. This is the root
+  // of trust identifier that holds an encrypted value that identifies the
+  // keybox or other root of trust that was used to provision a DEVICE drm
+  // certificate.
+  optional RootOfTrustId rot_id = 10;
+  // Optional. May be present in devices that explicitly support dual keys. When
+  // present the |public_key| is used for verification of received license
+  // request messages.
+  optional EncryptionKey encryption_key = 11;
 }
 
 // DeviceCertificate signed with intermediate or root certificate private key.