Page 33 - BACnet_Europe-Journal_43
P. 33
BACnet Insight
IT department can implement their own infrastructure
to generate these keys and certificates. The term PKI Digital certificates verify ownership and authenticity
to ensure that communication occurs with authorized
(Public Key Infrastructure) is used to define this setup. devices.
The building automation product vendors may also have Digitale Zertifikate überprüfen die Eigentümerschaft
specific software tools to implement the PKI, but the und Authentizität, um sicherzustellen, dass die
Kommunikation mit autorisierten Geräten erfolgt.
certificates and keys for all devices at a site, irrespective © Creative Commons
of their brand, must be generated from the same tool to
ensure interoperability. The certificates on devices also
expire and need to be renewed. If you don’t have OpenSSL on your Windows’s PC, you Gebäudeinfrastrukturen zu erfüllen, ist die Netzwerksi-
can install an OpenSSL package. If you are accessing cherheit wichtiger denn je, um die Authentifizierung, Inte-
Devices used on internal networks can also employ a the HTTPS device from a different PC, a security warning grität und Vertraulichkeit der über das Internet übertrage-
self-signed digital certificate to make a web browser trust message will appear. You must download the self-signed nen Daten zu gewährleisten.
your internal devices. A self-signed certificate is a type of certificate and install it to your local machine’s trusted
SSL/TLS credential you sign yourself rather than having it certificate store. BACnet-konforme Geräte mit HTTPS (Secure HTTP) bie-
signed by a trusted third-party CA. If you don’t have an IT ten verschlüsselte Kommunikation und schützen die Inte-
department, you can generate the self-signed certificate For more information, Contemporary Controls has created grität der Kundendaten. Integrierte HTTPS-Webserver
yourself. In addition, generating a self-signed certificate an Application Note: How to Create and Use Self-Signed ermöglichen die Inbetriebnahme, Statusberichterstattung
for internal network devices eliminates the associated cost SSL Certificates that explains how to add OpenSSL und Fehlerbehebung auf sichere Weise über jeden Stan-
of getting a certificate from a trusted third-party CA. and create a self-signed certificate for Windows using dard-Webbrowser und verbessern so die Zugriffskontrolle
Windows Package Manager, WinGet. WinGet is a free and auf die Geräte.
Digital Certificates – Self-Signed open-source package manager designed by Microsoft
that allows users to discover, install, upgrade, remove, HTTPS (Secure HTTP) verwendet Verschlüsselung für die
Self-signed digital certificates are created by signing and configure applications on Windows 10, Windows 11, sichere Kommunikation über ein IP-Netzwerk. Der HTTPS-
the certificate with the owner’s private key. They are and Windows Server 2025 computers. The application Datenverkehr wird mit Transport Layer Security (TLS), frü-
created, issued, and signed by the company or developer note also explains how to install this self-signed certificate her Secure Sockets Layer (SSL), verschlüsselt. Das Proto-
who is responsible for the website/software being on the device, and how to download and install the self- koll wird weiterhin als HTTP über SSL bezeichnet und in
signed. Unlike certificates issued by a trusted CA, no signed certificate on different Windows machines to der Adressleiste des Browsers üblicherweise als https://
external party verifies a self-signed certificate. Self- eliminate the security warning. Instructions are provided angezeigt.
signed certificates are fast, free, and easy to issue. for commonly used browsers – Google Chrome, Microsoft
They are appropriate for local development, testing, or Edge, and Mozilla Firefox – and how to overcome the Digitale Zertifikate
staging environments, internal network websites and Security Warning message.
providing secure webpages for devices. However, you SSL/TLS basiert auf der Verwendung von Schlüsseln und
must be aware of their limitations, such as despite the Conclusion digitalen Zertifikaten für die Datenverschlüsselung, Gerä-
strong encryption they provide, they lack the backing of teauthentifizierung und Datenintegrität. Schlüssel kom-
recognized authority, so browsers on different PCs will HTTPS encrypts the transport of data to ensure data men paarweise vor (öffentlich/privat) und werden zur Ver-
display security warnings for them. integrity and prevents information from being modified, und Entschlüsselung verwendet. Ein öffentlicher Schlüssel
corrupted, or stolen during transmission. SSL/TLS wird zur Verschlüsselung verwendet, während der private
Digital Certificates – OpenSSL protocols authenticate users to secure information Schlüssel zur Entschlüsselung dient.
and ensure it won’t be revealed to unauthorized users.
You can generate and install a self-signed certificate HTTPS requires digital certificates to validate the domain Digitale Zertifikate werden zur Authentifizierung und Ver-
using OpenSSL, a commonly used command-line utility ownership and integrity. For external networks, you should schlüsselung verwendet, um die Eigentümerschaft und
for generating keys, creating certificate signing requests obtain this credential from a trusted third-party CA. Authentizität zu überprüfen und sicherzustellen, dass
(CSRs), and managing certificates. nur autorisierte Geräte miteinander kommunizieren. Der
Self-signed certificates are valuable for creating secure öffentliche Schlüssel ist Teil des Zertifikats, während der
According to OpenSSL documentation at https://docs. communication channels for internal networks when you private Schlüssel für das Gerät geheim ist.
openssl.org/master/man7/ossl-guide-introduction: control the environment. They offer quick deployment and
“OpenSSL is a robust, commercial-grade, full-featured cost savings and are ideal for testing, local development, Es gibt Mechanismen, um Zertifikate und Schlüssel für
toolkit for general-purpose cryptography and secure or internal applications. Understanding these concepts is ein Gerät zu generieren und die Architektur auf mehrere
communication. Its features are made available via critical to implementing security for IP devices in general. Geräte zu skalieren.
a command line application that enables users to For the Building Automation world based on BACnet, they
perform various cryptography related functions such provide the foundational knowledge for successful and Digitale Zertifikate – Zertifizierungsstelle
as generating keys and certificates. Additionally, it robust implementation of BACnet/SC.
supplies two libraries that application developers can Zertifikate werden in der Regel von einem vertrauens-
use to implement cryptography-based capabilities and to BACnet ist nach wie vor das beliebteste Protokoll für würdigen Drittunternehmen, einer sogenannten Zertifi-
securely communicate across a network. Finally, it also HVACR-Steuerungssysteme. Es gibt ein robustes Öko- zierungsstelle (CA), ausgestellt und verwaltet. Die Instal-
has a set of providers that supply implementations of a system von Geräten, aus denen diese Systeme bestehen, lation eines SSL-Zertifikats für eine Website durch eine
broad set of cryptographic algorithms. OpenSSL is fully darunter Gateways zur Integration anderer Protokolle wie bekannte CA, welcher von allen Geräten und Browsern
open source. Version 3.0 and above are distributed under Modbus und EnOcean in BACnet. Da immer mehr Geräte vertraut wird, wie z. B. DigiCert, Comodo, GoDaddy oder
the Apache v2 license.” eingesetzt werden, um die Anforderungen der heutigen Lets Encrypt, kann einen nahtlosen Zugriff auf die Website
Gebäudemanagementsysteme (BMS) und intelligenten über das öffentliche Internet ermöglichen. Das Gerät kann
BACnet Europe Journal 43 09/25 33