Certificate Management is an option in SCT that you use to manage trusted certificates that are stored in network engines. Enhancements at Metasys Release 8.1 provided for improved security by enabling encrypted communication between Metasys servers and network engines. These enhancements included the option to configure encrypted and trusted communication for the SCT, Metasys servers (ADS/ADX/OAS/ODS), all network engines, Metasys UI, and Launcher. Then, starting at Release 9.0, encrypted and trusted communication is available between the Metasys server and network engines. The Site Security Level attribute in the Site object controls this capability. For details, refer to the ADS/ADX Commissioning Guide (LIT-1201645) .
When you install or upgrade a Metasys site to Release 8.1 or later, self-signed certificates are installed for the ADS/ADX/OAS/ODS and network engines by default. Self-signed certificates for network engines have three-year durations; for Metasys servers, certificates are valid until the year 2039. Once devices are installed or upgraded, Metasys system communication is encrypted. If a customer is satisfied with encrypted communications, no Certificate Management steps are required. System components come online and communicate as they would at any Metasys software release.
Optionally, if trusted communications is desired, the customer's IT department can generate trusted certificates or obtain trusted certificates from a Certificate Authority (CA) for the Metasys server and network engines. You use IIS Manager in the operating system to manage trusted certificates for the Metasys server. You use the Certificate Management option in SCT to manage trusted certificates for network engines. Trusted certificates that contain wildcards (for example, *.jci.com) are not permitted for the Metasys server and network engines.
The connection status currently active on the computer is indicated by a security shield icon that appears on the Metasys SMP and SCT login windows, and SMP and SCT UI main screens. If the site or engine is using trusted certificates, a green shield icon with a checkmark appears. If the site or engine is using self-signed certificates, an orange shield icon with an exclamation mark appears. And finally, if the certificate chain to the site or engine is broken, the certificate is misnamed, or the certificate has expired, a red shield icon with an X appears. The Metasys UI login screen does not indicate the active connection status.
To help you remember when server certificates installed on network engines expire, the Site object has an attribute called Certificate Renewal Reminder. This attribute regulates when certificate expiration reminders begin. It specifies the number of days prior to security certificate expiration before operators are notified daily that an engine certificate is about to expire. For example, if you use the default period of 60 days, and a server certificate on a network engine expires on January 1, beginning on November 1, an event requiring acknowledgment is sent to operators once a day or until the self-signed certificate is renewed or a new trusted certificate is installed.
The sections that follow describe how to manage security certificates for network engines with SCT 12.0 and later, including how to request, upload, and download certificates. You also use Certificate Management to add each Metasys server certificate so that SCT can push the server's root certificate to network engines. Without the root certificate, network engine communication to the Metasys server works, but it is untrusted. For setting up root, intermediate, and server certificates on a Metasys server (ADS, ADX, ODS, or NxE85), refer to the appropriate document: Metasys® Server Installation and Upgrade Instructions (LIT-12012162) , ODS Installation and Upgrade Instructions (LIT-12011945) , or NxE85 Installation and Upgrade Instructions (LIT-12011530) .
From Metasys Release 10.1, network engines require additional security certificates to be stored locally on the devices. This includes SCT’s root CA certificate. Network engines require the certificates to maintain an Encrypted and Trusted status for communication. Therefore, from Metasys Release 10.1, when you include certificates in a download, all of the certificates stored in the SCT archive are transferred to a network engine. After you complete the download, in the Devices tab of Certificate Management, the additional certificates are listed in the Details section for a network engine.
Figure 1 shows an example of the Certificate Management window in SCT. Open it by clicking . The window has a Certificates tab that includes details about each certificate in the archive. From this window, you can request, export, or delete a certificate. You can also replace an existing certificate with a self-signed certificate.
The following table explains each column in the Certificates window. Click inside a column header to sort the column.
Column Name | Description |
---|---|
Status |
A security shield icon that indicates the connection status afforded by the certificate. Green shield with tick icon: encrypted and trusted Orange shield with exclamation mark icon: encrypted and self-signed Red shield with cross icon: encrypted, but either the certificate chain to the site or engine is broken, the certificate has a name mismatch, or the certificate has expired. |
Checkbox Icon |
A check box to select the device that you want to work with. |
Issued To |
The name of the device to which the certificate is issued. |
Type |
The type of certificate: root, intermediate, or server. |
Device |
The device to which the certificate is bound (single or multiple for intermediate and root certificates). |
Expiration |
The date on which the certificate expires. The certificate management tool highlights all certificates that will expire within the number of days specified by the Certificate Renewal Period attribute of the Site object (or have already expired). Also, the Certificate Renewal Period attribute in the Site object controls when certificate expiration reminders begin. It specifies the number of days prior to security certificate expiration before the operator is notified daily that a certificate is about to expire. This attribute is synchronized to all child devices. Certificate Renewal Period applies only to devices at Release 8.1 or later. |
Details |
A clickable arrow that opens an expanded panel with more detailed information about the certificate. |