Page 33 - BACnet_Europe-Journal_43
P. 33

BACnet Insight



          IT  department  can implement  their own  infrastructure
          to generate these keys and certificates. The term PKI                Digital certificates verify ownership and authenticity
                                                                               to ensure that communication occurs with authorized
          (Public Key Infrastructure) is used to define this setup.            devices.
          The building automation product vendors may also have                Digitale Zertifikate überprüfen die Eigentümerschaft
          specific software tools to implement the PKI, but the                und Authentizität, um sicherzustellen, dass die
                                                                               Kommunikation mit autorisierten Geräten erfolgt.
          certificates and keys for all devices at a site, irrespective        © Creative Commons
          of their brand, must be generated from the same tool to
          ensure interoperability. The certificates on devices also
          expire and need to be renewed.    If you don’t have OpenSSL on your Windows’s PC, you   Gebäudeinfrastrukturen zu erfüllen, ist die Netzwerksi-
                                            can install an OpenSSL package. If you are accessing   cherheit wichtiger denn je, um die Authentifizierung, Inte-
          Devices used on internal networks can also employ a   the HTTPS device from a different PC, a security warning   grität und Vertraulichkeit der über das Internet übertrage-
          self-signed digital certificate to make a web browser trust   message will appear. You must download the self-signed   nen Daten zu gewährleisten.
          your internal devices. A self-signed certificate is a type of   certificate and install it to your local machine’s trusted
          SSL/TLS credential you sign yourself rather than having it   certificate store.  BACnet-konforme Geräte mit HTTPS (Secure HTTP) bie-
          signed by a trusted third-party CA. If you don’t have an IT          ten verschlüsselte Kommunikation und schützen die Inte-
          department, you can generate the self-signed certificate   For more information, Contemporary Controls has created   grität der Kundendaten. Integrierte HTTPS-Webserver
          yourself. In addition, generating a self-signed certificate   an Application Note: How to Create and Use Self-Signed   ermöglichen die Inbetriebnahme, Statusberichterstattung
          for internal network devices eliminates the associated cost   SSL Certificates that explains how to add OpenSSL   und Fehlerbehebung auf sichere Weise über jeden Stan-
          of getting a certificate from a trusted third-party CA.   and create a self-signed certificate for  Windows using   dard-Webbrowser und verbessern so die Zugriffskontrolle
                                            Windows Package Manager, WinGet. WinGet is a free and   auf die Geräte.
          Digital Certificates – Self-Signed  open-source package manager designed by Microsoft
                                            that allows users  to discover, install, upgrade, remove,   HTTPS (Secure HTTP) verwendet Verschlüsselung für die
          Self-signed digital certificates are created by signing   and configure applications on Windows 10, Windows 11,   sichere Kommunikation über ein IP-Netzwerk. Der HTTPS-
          the certificate with the owner’s private key. They are   and  Windows Server 2025 computers.  The application   Datenverkehr wird mit Transport Layer Security (TLS), frü-
          created, issued, and signed by the company or developer   note also explains how to install this self-signed certificate   her Secure Sockets Layer (SSL), verschlüsselt. Das Proto-
          who is responsible for the website/software being   on the device, and how to download and install the self-  koll wird weiterhin als HTTP über SSL bezeichnet und in
          signed. Unlike certificates issued by a trusted CA, no   signed certificate on different  Windows machines to   der Adressleiste des Browsers üblicherweise als https://
          external  party verifies a self-signed certificate.  Self-  eliminate the security warning. Instructions are provided   angezeigt.
          signed certificates are fast, free, and easy to issue.   for commonly used browsers – Google Chrome, Microsoft
          They are appropriate for local development, testing, or   Edge,  and  Mozilla  Firefox  –  and  how  to  overcome  the   Digitale Zertifikate
          staging environments, internal network websites and   Security Warning message.
          providing secure webpages for devices. However, you                  SSL/TLS basiert auf der Verwendung von Schlüsseln und
          must be aware of their limitations, such as despite the   Conclusion  digitalen Zertifikaten für die Datenverschlüsselung, Gerä-
          strong encryption they provide, they lack the backing of             teauthentifizierung und Datenintegrität. Schlüssel kom-
          recognized authority, so browsers on different PCs will   HTTPS encrypts the transport of data to ensure data   men paarweise vor (öffentlich/privat) und werden zur Ver-
          display security warnings for them.  integrity  and  prevents  information  from  being  modified,   und Entschlüsselung verwendet. Ein öffentlicher Schlüssel
                                            corrupted, or stolen during transmission. SSL/TLS   wird zur Verschlüsselung verwendet, während der private
          Digital Certificates – OpenSSL    protocols authenticate users to secure information   Schlüssel zur Entschlüsselung dient.
                                            and ensure it won’t be revealed to unauthorized users.
          You can generate and install a self-signed certificate   HTTPS requires digital certificates to validate the domain   Digitale Zertifikate werden zur Authentifizierung und Ver-
          using OpenSSL, a commonly used command-line utility   ownership and integrity. For external networks, you should   schlüsselung verwendet, um die Eigentümerschaft und
          for generating keys, creating certificate signing requests   obtain this credential from a trusted third-party CA.   Authentizität zu überprüfen und sicherzustellen, dass
          (CSRs), and managing certificates.                                   nur autorisierte Geräte miteinander kommunizieren. Der
                                            Self-signed certificates are valuable for creating secure   öffentliche Schlüssel ist Teil des Zertifikats, während der
          According to OpenSSL documentation at https://docs.  communication channels for internal networks when you   private Schlüssel für das Gerät geheim ist.
          openssl.org/master/man7/ossl-guide-introduction:   control the environment. They offer quick deployment and
          “OpenSSL is a robust, commercial-grade, full-featured   cost savings and are ideal for testing, local development,   Es gibt Mechanismen, um Zertifikate und Schlüssel für
          toolkit for general-purpose cryptography and secure   or internal applications. Understanding these concepts is   ein Gerät zu generieren und die Architektur auf mehrere
          communication. Its features are made available via   critical to implementing security for IP devices in general.   Geräte zu skalieren.
          a  command  line  application  that  enables  users  to   For the Building Automation world based on BACnet, they
          perform various cryptography related functions such   provide the foundational knowledge for successful and   Digitale Zertifikate – Zertifizierungsstelle
          as generating keys and certificates. Additionally, it   robust implementation of BACnet/SC.    
          supplies two libraries that application developers can               Zertifikate  werden  in  der  Regel  von  einem  vertrauens-
          use to implement cryptography-based capabilities and to   BACnet ist nach wie vor das beliebteste Protokoll für   würdigen  Drittunternehmen, einer  sogenannten Zertifi-
          securely communicate across a network. Finally, it also   HVACR-Steuerungssysteme. Es gibt ein robustes Öko-  zierungsstelle (CA), ausgestellt und verwaltet. Die Instal-
          has a set of providers that supply implementations of a   system von Geräten, aus denen diese Systeme bestehen,   lation eines SSL-Zertifikats für eine Website durch eine
          broad set of cryptographic algorithms. OpenSSL is fully   darunter Gateways zur Integration anderer Protokolle wie   bekannte CA, welcher von allen Geräten und Browsern
          open source. Version 3.0 and above are distributed under   Modbus und EnOcean in BACnet. Da immer mehr Geräte   vertraut wird, wie z. B. DigiCert, Comodo, GoDaddy oder
          the Apache v2 license.”           eingesetzt werden, um die Anforderungen der heutigen   Lets Encrypt, kann einen nahtlosen Zugriff auf die Website
                                            Gebäudemanagementsysteme (BMS) und intelligenten   über das öffentliche Internet ermöglichen. Das Gerät kann


                                                                                     BACnet Europe Journal 43 09/25 33
   28   29   30   31   32   33   34   35   36   37   38