Use the Certificate Management option in SCT to manage trusted certificates that are stored in network engines. Enhancements at Metasys Release 8.1 provided for improved security by enabling encrypted communication between Metasys servers and network engines. These enhancements included the option to configure encrypted and trusted communication for network engines. Beginning with Release 9.0, encrypted and trusted communication is available between the Metasys server and network engines. The Site Security Level attribute in the Site object controls this capability. For details, refer to the ADS/ADX Commissioning Guide (LIT-1201645) .
When you install or upgrade a Metasys site to Release 8.1 or later, self-signed certificates are installed for the Metasys Server and network engines by default. Self-signed certificates for network engines have three-year durations. Once devices are installed or upgraded, Metasys system communication is encrypted. If a customer is satisfied with encrypted communications, no Certificate Management steps are required. System components come online and communicate as they would at any Metasys software release.
The connection status currently active on the computer is indicated by a security shield icon that appears on the Metasys SMP and SCT login windows, and SMP and SCT UI main screens. If the engine is using trusted certificates, a green shield icon with a checkmark appears. If the engine is using self-signed certificates, an orange shield icon with an exclamation mark appears. And finally, if the certificate chain to the engine is broken, the certificate is misnamed, or the certificate has expired, a red shield icon with an X appears. The Metasys UI login screen does not indicate the active connection status.
To help you remember when server certificates installed on network engines expire, the Site object has an attribute called Certificate Renewal Reminder. This attribute regulates when certificate expiration reminders begin. It specifies the number of days prior to security certificate expiration before operators are notified daily that an engine certificate is about to expire. For example, if you use the default period of 60 days, and a server certificate on a network engine expires on January 1, beginning on November 1, an event requiring acknowledgement is sent to operators once a day or until the self-signed certificate is renewed or a new trusted certificate is installed.
For releases 12.0 or later, if you want to manage the BACnet/SC certificates, use the BACnet/SC Management feature that is part of Metasys UI or Johnson Controls System Configuration Tool (JCT). For more information about BACnet/SC certificates and how to manage them, refer to the BACnet/SC Workflow Technical Bulletin (LIT-12013959) .
The sections that follow describe how to manage security certificates for network engines with SCT, including how to request, upload, and download certificates. You also use Certificate Management to add each Metasys server certificate so that SCT can push the server's root certificate to network engines. Without the root certificate, network engine communication to the Metasys server works, but it is untrusted. For setting up root, intermediate, and server certificates on an Metasys server, refer to the appropriate document: Metasys Server Installation and Upgrade Instructions (LIT-12012162) , Open Application Server (OAS) Installation Guide (LIT-12013222), or NAE85 Installation and Upgrade Instructions (LIT-12011530).
Figure 1 shows an example of the Certificate Management window in SCT. Open it by clicking . The window has a Certificates tab that includes details about each certificate in the archive. From this window, you can request, export, or delete a certificate. You can also replace an existing certificate with a self-signed certificate.
The following table explains each column in the Certificates window. Click inside a column header to sort the column.
Column Name | Description |
---|---|
Status |
A security shield icon that indicates the connection status afforded by the certificate. : encrypted and trusted : encrypted and self-signed : encrypted, but either the certificate chain to the site or engine is broken, the certificate has a name mismatch, or the certificate has expired. |
Checkbox Icon |
A check box to select the device that you want to work with. |
Issued To |
The name of the device to which the certificate is issued. |
Type |
The type of certificate: root, intermediate, or server. |
Device |
The device to which the certificate is bound (single or multiple for intermediate and root certificates). |
Expiration |
The date on which the certificate expires. The certificate management tool highlights all certificates that will expire within the number of days specified by the Certificate Renewal Period attribute of the Site object (or have already expired). Also, the Certificate Renewal Period attribute in the Site object controls when certificate expiration reminders begin. It specifies the number of days prior to security certificate expiration before the operator is notified daily that a certificate is about to expire. This attribute is synchronized to all child devices. Certificate Renewal Period applies only to devices at Release 8.1 or later. |
Details |
A clickable arrow that opens an expanded panel with more detailed information about the certificate. |