Certificate management introduction - Metasys - LIT-1201519 - MS-NAE35xx-2 - MS-NAE45xx-2 - MS-NAE5510-2U - MS-NAE5510-3U - MS-NAE551S-2 - MS-NAE55xx-3 - MS-NCE25xx-0 - MS-NXE85SW-x - Supervisory Device - NAE35 Network Automation Engine - NAE45 Network Automation Engine - NAE55 Network Automation Engine - NAE85 Network Automation Engine - NCE25 Network Control Engine - 11.0

NAE Commissioning Guide

Brand
Metasys
Product name
NAE35 Network Automation Engine
NAE45 Network Automation Engine
NAE55 Network Automation Engine
NAE85 Network Automation Engine
NCE25 Network Control Engine
Document type
Commissioning Guide
Document number
LIT-1201519
Version
11.0
Revision date
2022-02-09
Language
English

Use the Certificate Management option in SCT to manage trusted certificates that are stored in network engines. Enhancements at Metasys Release 8.1 provided for improved security by enabling encrypted communication between Metasys servers and network engines. These enhancements included the option to configure encrypted and trusted communication for network engines. Beginning with Release 9.0, encrypted and trusted communication is available between the Metasys server and network engines. The Site Security Level attribute in the Site object controls this capability. For details, refer to the ADS/ADX Commissioning Guide (LIT-1201645) .

When you install or upgrade a Metasys site to Release 8.1 or later, self-signed certificates are installed for the Metasys Server and network engines by default. Self-signed certificates for network engines have three-year durations. Once devices are installed or upgraded, Metasys system communication is encrypted. If a customer is satisfied with encrypted communications, no Certificate Management steps are required. System components come online and communicate as they would at any Metasys software release.

Optionally, if trusted communications is desired, the customer's IT department can generate trusted certificates or obtain trusted certificates from a Certificate Authority (CA) for the Metasys server and network engines. You use the Certificate Management option in SCT to manage trusted certificates for network engines.
Note: If you are implementing certificate management on an existing Metasys system, keep in mind that adding a trusted certificate may require you to add a domain name to the original host name of a server or engine. This action requires you to rename all data in the Metasys historical databases. You can perform the renaming operation within SCT, but be aware that this procedure requires intensive database operations that significantly prolong a system upgrade. Therefore, be sure to allocate extra time if you are renaming historical data as part of an upgrade to Metasys Release 9.0. For details about renaming a network engine, refer to the Download section in Metasys SCT Help (LIT-12011964) .

The connection status currently active on the computer is indicated by a security shield icon that appears on the Metasys SMP and SCT login windows, and SMP and SCT UI main screens. If the engine is using trusted certificates, a green shield icon with a checkmark appears. If the engine is using self-signed certificates, an orange shield icon with an exclamation mark appears. And finally, if the certificate chain to the engine is broken, the certificate is misnamed, or the certificate has expired, a red shield icon with an X appears. The Metasys UI login screen does not indicate the active connection status.

To help you remember when server certificates installed on network engines expire, the Site object has an attribute called Certificate Renewal Reminder. This attribute regulates when certificate expiration reminders begin. It specifies the number of days prior to security certificate expiration before operators are notified daily that an engine certificate is about to expire. For example, if you use the default period of 60 days, and a server certificate on a network engine expires on January 1, beginning on November 1, an event requiring acknowledgement is sent to operators once a day or until the self-signed certificate is renewed or a new trusted certificate is installed.

The sections that follow describe how to manage security certificates for network engines with SCT, including how to request, upload, and download certificates. You also use Certificate Management to add each Metasys server certificate so that SCT can push the server's root certificate to network engines. Without the root certificate, network engine communication to the Metasys server works, but it is untrusted. For setting up root, intermediate, and server certificates on an Metasys server, refer to the appropriate document: Metasys Server Installation and Upgrade Guide (LIT-12012162) , ODS Installation and Upgrade Guide (LIT-12011945) , Open Application Server (OAS) Installation Guide (LIT-12013222), or NAE85 Installation and Upgrade Instructions (LIT-12011530).

Figure 1 shows an example of the Certificate Management window in SCT. Open it by clicking Tools > Certificate Management. The window has a Certificates tab that includes details about each certificate in the archive. From this window, you can request, export, or delete a certificate. You can also replace an existing certificate with a self-signed certificate.

Figure 1. Certificate Management Main Screen

The following table explains each column in the Certificates window. Click inside a column header to sort the column.

Table 1. Description of Certificates Table
Column Name Description

Status

A security shield icon that indicates the connection status afforded by the certificate.

: encrypted and trusted

: encrypted and self-signed

: encrypted, but either the certificate chain to the site or engine is broken, the certificate has a name mismatch, or the certificate has expired.

Checkbox Icon

A check box to select the device that you want to work with.

Issued To

The name of the device to which the certificate is issued.

Type

The type of certificate: root, intermediate, or server.

Device

The device to which the certificate is bound (single or multiple for intermediate and root certificates).

Expiration

The date on which the certificate expires. The certificate management tool highlights all certificates that will expire within the number of days specified by the Certificate Renewal Period attribute of the Site object (or have already expired). Also, the Certificate Renewal Period attribute in the Site object controls when certificate expiration reminders begin. It specifies the number of days prior to security certificate expiration before the operator is notified daily that a certificate is about to expire. This attribute is synchronized to all child devices. Certificate Renewal Period applies only to devices at Release 8.1 or later.

Details

A clickable arrow that opens an expanded panel with more detailed information about the certificate.