Manual certificate distribution - Metasys - LIT-12013959 - 13.0

BACnet/SC Workflow Technical Bulletin

Document type
Technical Bulletin
Document number
Revision date
Product status

About this task

Metasys, from Release 12.0 supports a manual approach for certificate management. Use the BACnet/SC Management feature that is part of Metasys UI or JCT to manage your certificates. For more information about the BACnet/SC Management feature, refer to BACnet/SC Management in Metasys UI Help (LIT-12011953) or Johnson Controls System Configuration Tool (JCT) Help (LIT-12012116) .

The following figure outlines the manual certificate distribution workflow. The numbers relate to the steps underneath the figure.
Figure 1. BACnet/SC manual certificate distribution workflow
The following steps summarize the manual certificate distribution workflow. See the referenced topics for more details.


  1. Confirm that the devices for which you want to configure BACnet/SC are online. Confirm that IP equipment controllers are at firmware version 10.0 or higher and are integrated into one of the supervisory devices .
  2. Connect to the site and configure the common site information. See Configuring the BACnet/SC site settings for details.
  3. The BACnet/SC Management feature displays a list of devices and their certificate status. Select the devices for which you want certificates.
  4. Request certificates for the selected devices and download the automatically created Certificate Signing Request (CSR) .zip file. See Requesting BACnet/SC certificates for details.
    Note: You can select a maximum of 50 devices at a time from one page in the BACnet/SC Management feature. Repeat step 4 if you need certificates for more than 50 devices.
  5. Email the CSR .zip files to the CA. The CA creates an operational certificate for each device on the site and one signing certificate to confirm that the devices are part of the site and can trust each other.
    Note: If your site is an existing BACnet/SC site include a screen capture of an operational certificate from one existing device (SMP > Expert View). This is used as a check that the same CA that provided the existing operational certificates is the same CA that is providing the new operational certificates. If the wrong CA provides the operational certificates, the new devices are not able to communicate with existing devices.
  6. Receive email from the CA with the operational certificates and signing certificate.
    Important: If this is a new BACnet/SC site, skip step 7 and go to step 8. If this is an existing BACnet/SC site with an existing CA, go to step 7 and then step 8.
  7. If the CA that signed the operational certificates is not in use by the devices on the site (not normally the case), import the new CA's signing certificate to all devices. See Importing BACnet/SC signing certificate for details.
    Note: If the files are returned in a .pem format, combine the files in a .zip file to perform the import.
  8. Import operational certificates. See Importing BACnet/SC operational certificates for details.
    Note: If multiple .zip files are returned, repeat step 8 for each .zip file.


The system automatically distributes the certificates to the correct devices. Wait about 30 seconds for the distribution to complete. When certificates have been placed on all the devices that will talk BACnet/SC, you can set the communication mode to BACnet/SC. See Setting the communication mode for details.