Index | Prev | Next

Node certificates

Certificates ensure authenticity among networked devices and are used for communication. A node can be a Supervisor station, remote controller station, or a device, such as a thermostat, HVAC, light, camera, etc.

To manage secure communication in a BACnet/SC network, you need three types of certificates:

  • A single site (root or intermediate) CA certificate, also called an issuer certificate. The private key of this certificate signs the network’s server and client certificates.
  • A client certificate for each node, also called an operational certificate.
  • A server certificate for the nodes that host a hub function or nodes that accept direct connections. In some cases, the server certificate can also be used as a client certificate.

This drawing identifies the certificates required to secure the nodes of the BACnet network. A Supervisor station has the same requirements as any other node. Devices at the edge also require certificates.

Image
  Function and comments Required certificates Where to configure Property names
Image Initiate a local hub connection to the node’s hub function or direct connections to other nodes client (identified in green) Expand BacnetNetwork > Bacnet Comm > Network > ScPort > Link and double-click Credentials. Operational Certificate
Verify the server certificate of another node when initiating a hub or direct connection.

Verify the client certificate submitted by another node when accepting a hub or direct connection.

 site CA (issuer) without its private key (identified in light red)

You may email this certificate.

 Issuer Certificate1

Issuer Certificate2
Accept a hub or a direct connection initiated by another node server Expand Config > Services and double-click WebService. Main Https Cert
Image Initiate a hub connection to a hub or direct connections to other nodes client (identified in green)

Each node has its own unique client certificate.

 Expand BacnetNetwork > Bacnet Comm > Network > ScPort > Link and double-click Credentials. Operational Certificate
Verify the server certificate of another node when initiating a hub or direct connection. site CA (issuer) without its private key (identified in light red).

You may email this certificate.

 Issuer Certificate1

Issuer Certificate2
Image Used to sign all client and server certificates site CA (issuer) with its private key (identified in red)

This certificate’s private key is password protected. Once you finish signing your server and client certificates you must store this certificate securely. Do not email it to anyone.

Click Tools > Certificate Management. N/A

Related Links

  • Creating a site CA certificate
  • Creating operational certificates
  • Creating a CSR for an operational certificate
  • Signing multiple certificates
  • Importing the signed certificates
  • BACnet/SC (Secure Connect) (Parent Topic)

    • Index | Prev | Next