Smart Energy Certificate Management

All devices that operate in a ZigBee Smart Energy network must have a certificate installed that authenticates the device and allows it to securely join and communicate on the network. A certificate must be issued by the certificate authority (CA). Each certificate is tied to the 64-bit extended address of the device.

Currently there are two types of certificates issued by the CA. Production certificates are intended for use in deployed Smart Energy networks. Only devices which pass stringent testing and are officially certified may be configured with a production certificate. Test certificates may also be issued by the CA and are functionally equivalent to production certificates. However, a device configured with a test certificate will not be able to securely join and communicate on a production network. Test certificates are useful during development and test, for example when communicating with prototype devices that have not yet been certified, but should not be used in an actual deployment.

Certificates on ConnectPort X2e for Smart Energy

All ConnectPort X2e for Smart Energy gateways are certified and configured by default with a production certificate, allowing them to create or join production networks out of the box. During the course of development a test certificate may be installed. The gateway’s original production certificate can be restored at any time by removing the test certificate.

The Digi Smart Energy Web Tool provides an especially simple user interface to request and program certificates on the gateway. Refer to this section for general certificate information but see Digi-SE Certificates for instructions on how to request and program a test certificate.

Certificates on Standalone XBee Modules

Standalone XBee modules, such as the XStick SE, do not implement a specific Smart Energy device and so cannot be certified directly but only as components in larger systems. Due to this fact, standalone XBee modules cannot be preconfigured with production certificates and will not be able to securely communicate with a Smart Energy gateway out of the box.

In order for the standalone XBee to securely communicate on a Smart Energy network a test certificate will need to be obtained from a certificate authority and installed. Additional test certificates may also be necessary for other devices that are configured with production certificates, such as the ConnectPort X2e for Smart Energy.

Obtaining Test Certificates

The easiest method to request a certificate is using the Digi-SE Certificates. You will need a Device Cloud account and a Certicom account to use this tool.

Determining EUI of a ConnectPort X2e for Smart Energy

The EUI of a Smart Energy gateway’s XBee radio may be determined in several ways depending on available access.

  • Through the Device Cloud portal, launch the Device Manager. Once the Device Manager has loaded, double-click on your device and select Diagnostics under System Information. The EUI will be displayed as gateway_addr under Mesh Network Information.

  • The get_zigbee_network_status RPC command will return the EUI of the gateway’s XBee, among other information.:

    <get_zigbee_network_status/>

Determining EUI of a Standalone XBee Module

The EUI of a standalone XBee module serially attached to your computer can be obtained in the following ways.

  • Run the In-Premise Display/Meter Simulator sample on page 33 and open the serial port associated with the XBee. Once opened the XBee’s EUI will be displayed under XBee Settings.
  • Run X-CTU (see Resources on page 7), and open the serial port associated with the XBee. Once the serial port has been opened and communication established click the Modem Configuration tab and then the Read button under Modem Parameters and Firmware. Once all modem parameters are read the high 32-bits of EUI are listed as SH - Serial Number High and the low 32-bits are listed as SL - Serial Number Low, both under the Addressing subfolder.

Installing Certificates

Certificates obtained from Certicom should have the following format where ######## will be a long hexadecimal number for each entry.

CA Public Key: ########
Device Implicit Cert: ########
Device Private Key: ########
Device Public Key: ########

To install certificates onto either the ConnectPort X2e for Smart Energy or a standalone XBee an AT command must be sent to configure the CA Public KEY (ZU), Device Implicit Cert (ZT), and Device Private Key (ZV). Be careful to avoid having any leading or trailing whitespace when copying these values.

Installing Certificates on the ConnectPort X2e for Smart Energy

Use the xbee_AT RPC command to install a certificate. After installing a certificate, the XBee should be made to reform or leave its current network, depending on whether the XBee is a coordinator or router. This is because it would not make sense to remain on the current network with a changed certificate.

Execute the following RPC commands in this order:

1. Configure CA Public Key

<xbee_AT>
        <command type="string">ZU</command>
        <value type="base16">########</value>
</xbee_AT>

2. Configure Device Implicit Cert

<xbee_AT>
        <command type="string">ZT</command>
        <value type="base16">########</value>
</xbee_AT>

3. Configure Device Private Key

<xbee_AT>
        <command type="string">ZV</command>
        <value type="base16">########</value>
</xbee_AT>

4. Write settings to non-volatile flash

<xbee_AT>
        <command type="string">WR</command>
</xbee_AT>

5. Restart the XBee’s firmware

<xbee_AT>
        <command type="string">FR</command>
</xbee_AT>

6. Have the XBee leave or reform its current network

<leave_network/>

Installing Certificates on a Standalone XBee Module

The easiest method to install a certificate on a Standalone XBee Module is using the Digi-SE Certificates.

If this is not possible X-CTU may also be used to send the necessary AT commands. However, X-CTU does not provide direct support for the certificate AT commands. The command packets must be manually created, entered into the Terminal tab, and sent to the XBee. (For downloading the X-CTU see Downloads and for accessing the XBee SE Manual see the Online Documentation)

Reverting/Unininstalling Certificates

Certificates may be removed from either the ConnectPort X2e for Smart Energy or a standalone XBee. Follow instructions in the appropriate section for installing a certificate except with a value of 0 for the ZU (CA Public Key), ZV (Device Implicit Cert), and ZT (Device Private Key) commands.

A ConnectPort X2e for Smart Energy will revert to its original production certificate when this procedure is followed.

Production Certificates and Modifications

The ConnectPort X2e for Smart Energy underwent official testing through National Technical Systems (NTS) for Smart Energy certification to allow installation of production certificates. The ZigBee Smart Energy Test Specification and other ZigBee documents provide a set of guidelines for what hardware and/or software changes may require recertification. When making any modifications reference these documents and determine if recertification may be required. Digi International may be able to provide support for recertification. Contact your Sales Representative for more details.