Ability™ Developer Portal v23.1
Try Sandbox for free
Get a month of free access to ABB Ability™ Platform to learn and experiment!
API Playground
Play with ABB Ability™ Platform APIs (no time limits)

# Ability PKI

Ability Public Key Infrastructure consists of services that satisfy the need of using the X.509 certificates for authentication of the entities. The certificates rooted in the Ability ROOT CA are used for authentication of the devices connecting to the Ability Platform. This article will focus on using the PKI for this purpose.

Each business line is required to request its own profile in order to issue device certificates. All the configuration required for enabling the production profile is done by the Ability PKI team on the request of the BL. The BL requests are submitted through the Ability Service Now tracker.

The Ability RA (Registration Authority) is publicly accessible on the Internet. A device can request the X.509 certificate signed by an issuing CA rooted in the Ability ROOT CA by sending the CSR using the SCEP protocol. The request is authorized based on the challenge password and common name fields specified in the CSR. The protocol is widely described on the internet and is not covered in this article. Please refer to this RFC document for a good start.

# PKI Environments

The Ability team provides the necessary environments to work with on every stage of the software development cycle. Apart from the production profile that is configured for each product line individually, there are two environments prepared for development and testing respectively. These environments are for the general use of the BLs and are not designed to fulfil any specific scenarios. They differ in the configuration thus they reflect their typical usage.

# Development Environment

As mentioned previously the development environment is preconfigured and shared among BLs. The challenge password for requests coming to this endpoint is not related to the requested common name of the certificate and is rolled on a monthly basis. This means that the CA will issue a certificate for a requester as long as he sends a CSR with a password that is valid in the time of the request and the CSR has the fields configured in the way described in this chapter.

# Testing Environment

The testing environment allows you to check your implementation of PKI-related processes and it issues certificates rooted in the ABB Ability™ TEST ROOT CA. Just as the production environment, a successful enrollment requires the list of allowed DeviceIDs along with the matching enrollment codes to be preconfigured in the system. Please note, that this profile is intended to be used only while testing PKI related scenarios (ex. provisioning enrolment codes to devices, generating CSV enrolment file etc.). For all other tests (not related to PKI enrolment), the Development Environment should be more suitable.

# Pre-Production environment

The pre-production environment is a dedicated Ability PKI environemnt to allow you to test your PKI-related deployment procedures and processes. This environment is provided for you to perform final testing of the certificate management-related flows. It should not be used for obtaing certificates for devices/scenatios taking part in product functional testing.

# Examples of test-cases for pre-production environment

  • Renewing a certificate on the device directly connected to the Azure IoT Hub.

# Production environment

The profile on the production environment is created for each product line separately resulting in a different SCEP endpoint being utilized by each BL. Prior to production the BL is responsible for specifying all the configurable properties of the profile. Before producing a batch of devices the BL is required to generate a CSV file containing two columns, the fist one being the DeviceIDs generated using the RFC 4122 compliant tool and the second one being the enrollment codes intended to be used with the corresponding DeviceIDs. The file has to be delivered to the Ability PKI team (For now it has to be delivered by email). The file is then uploaded by the PKI team to the system and from that moment on the BL is ready for production. The detailed steps are described in Apply Manual Production Process article.

Environment details

There is a separate article listing the environment details.

Last updated: 12/14/2021, 12:49:42 PM

Device Certificate Management

Feedback