Creating a site CA certificate
This certificate, also called an issuer certificate, is a CA certificate (root or intermediate) used to sign all of the BACnet/SC
operational certificates. This certificate, exported without its private key, verifies the authenticity of the server and
client certificates.
Prerequisites: You have the required authority to create certificates. You are working in
Perform the following steps:
- Access the
The Certificate Management view opens to the User Key Store.
This key store contains an auto-generated, self-signed default certificate that cannot be deleted and should be used for recovery purposes.
- Confirm that you opened the
NOTE: If you opened the platform/station Certificate Management view by mistake, you can still create a site CA certificate, but it will not be available to sign the other certificates.The Generate Self Signed Certificate window opens.
All certificates begin as self-signed certificates. The Secure Connect site CA certificate may be a root certificate and remain self-signed. It can be signed by another CA certificate and change into an intermediate CA certificate.
- Fill in the form and click OK.
- Use
Aliasto identify this as a site certificate. - The
Common Name(CN)becomes theSubject(also known as the Distinguished Name). For a site certificate, theCommon Name(CN)may be the same as theAlias. Organizationshould be the name of the company.- Although
LocalityandState/Provinceare not required and are arbitrary, leaving them blank generates a warning message. - The two-character
Country Codeis required and must be a known value, such as: US, IN, CA, FR, DE, ES, etc. (refer to the ISO CODE column at countrycode.org). - Based on the
Not BeforeandNot Afterdates, certificate validity defaults to a year. Key Sizedefaults to 2048. A larger key improves security and does not significantly affect communication time. The only impact it has is to lengthen the time it takes to create the certificate initially.- For
Certificate Usage, selectCA.
ThePrivate Key Passwordwindow opens. - Use
- Enter and confirm a strong password, and click OK.The system informs you that the certificate has been submitted. Soon the certificate appears behind the Info message in the User Key Store table.
- To continue, click OK.The root CA certificate now exists with both its keys in theNOTE: Since this certificate is not signed by any higher certificate authority, it is always identified with an exclamation icon (
). This is normal for a root CA and does not need to be corrected. Because the CA can be used to sign server and client certificates,
and establish trust between BACnet devices, you must protect the computer (and thumb drive) on which it resides by keeping
the computer off the Internet, corporate LAN, and most securely, in a locked physical location.
For this certificate to authenticate the certificates it signs, you now need to export it with only its public key and load it into the
Issuer Certificate 1orIssuer Certificate 2properties. - Select the new site certificate and click Export.The Certificate Export window opens.
CAUTION: Do not click the check box toExport the private key.The only time you click this check box is when you are backing up the certificate to another location for safe keeping. - To create the site certificate that will be loaded into one of the
Issuer Certificateproperties, click OK.The Certificate Export window opens with the file ready to export as a .pem file.
Notice the Current Path. This is where the system stores the exported certificate.
- Navigate to a certificate folder or location on a thumb drive, and click Save.The system reports that it exported the certificate successfully.
- To complete the export, click OK.