Frequently asked questions

Can we use Ability PKI provided certificates for device embedded web applications?

No, for a web server and browser you need certificates that are trusted by browsers and follow the browser forum standards.

Can we use Ability PKI provided certificates for on-premise device to device (e.g. OPC-UA) communication?

No, while in principle they are the same type of certificates the Ability PKI (internet) should not be accessible from the core layers of a control system. Quite often our customers would want to use a private PKI for this purposes. A service for this does not currently exist in ABB.

Can we use Ability PKI provided certificates as Vendor/Birth certificate proving (throughout its lifetime) who manufactured the device?

No, while we use it to authenticate the device it does not support an indefinite lifetime as required in true birth/vendor certificates following e.g. IEEE802.1AR.

Can we use Ability PKI provided certificates for secure boot (sign firmware)?

No, Ability PKI provided certificates are to authenticate TLS connections and not to sign firmware to be verified in the boot process.

Can we use any other CA for our solution? Does it have to be rooted in ABB Root CA?

Technically it is possible but you are strongly encouraged to use the Ability PKI. For 2020 the service is provided with no cost attached to the BU.

What is a validity period for the leaf certificates?

For the Ability PKI the maximum validity period of the leaf certificate is 3 years, although the profile can be configured to issue the certificate with the shorter validity. To check the parameters of the shared profiles please read the environments article.

What key lengths are allowed for use?

The supported key length equals 2048 bits.

Can we create RSA private keys on the factory provisioning PC and upload them to the IoT device on trusted LAN network, rather than create them on a secure element on the device itself?

The Ability Edge is using a TPM chip to generate and store the private key that's later used for signing the CSR. This allows the system to protect the private key. The key never leaves the chip. Every cryptographic operation is performed inside the TPM chip which has sole access to the key. That is the reason why you cannot generate the RSA key pair outside of the device.

Where can I obtain a Certification Policy from?

You can obtain the Certification Policy from Ability PKI team by following the production environment onboarding procedure

What is the correct URL to the production RA (SCEP)? What about the Testing RA?

Please read the overview for general knowledge about the Ability PKI profiles and operations. You can also refer to the environments for details regarding a specific profile.

What is the cost of the certificate per device and for volume purchases by Solution/BL?

Ability PKI is a service provided by ABB's PKI Team (part of the Group IS organization). The cost of its operation is also funded by the Group IS. For 2020 it was decided that there will NOT be any back charging from this service to the Businesses. How this will be done in 2021 and later is a decision that Group IS will take in collaboration with the Business IS organizations. For more clarity one should reach out to the respective Business's CIO. Generally the cost depends on the volume (number of certificates) we use annually - the more we request, the lower the singular cost. The exact cost per cost tier is negotiated annually between Group IS SCM and DigiCert (or alternative service provider).

Can we use other enrollment protocols instead of SCEP?

Currently the only supported protocol in the online enrollment procedure is SCEP.

Can we use Elliptic Curve algorithms?

No, the Elliptic Curve algorithms are not supported by the Ability PKI. For now we support only the RSA encryption.

Do we have to generate the key-pair inside the device?

YES - SEE ABOVE

Can we extend the lifetime of an OTP beyond 24 hours?

The term OTP does not apply to Ability PKI in the current release. The validity of the enrollment code/password is described in the environments article when it comes to the shared profiles. The validity time of the enrollment codes on the production profile can be specified during the profile creation procedure. The maximum value is 30 days.

Can we get access to more error code information?

Please refer to the article published by DigiCert available here.

Do we have to connect our devices to the internet during manufacturing?

There is a way to obtain the Ability PKI issued certificates for Directly Connected Devices in the offline onboarding procedure.

Do we have to enroll during manufacturing?

The successful enrollment of the device is dependent on providing the correct credentials in the CSR and sending it to the working Ability PKI RA. The endpoints are publicly available on the internet. It means that technically the enrollment process doesn't have to take place in the factory during the manufacturing phase, although the BU is responsible for the safe delivery of the sensitive data (enrollment code) to the device and ensuring that the device is indeed an ABB hardware.

Can we enroll into the PKI during commissioning or at customer site?

As described in the previous response, it is possible. One example could be that a technician provides the credentials through a web app hosted on the device and exposed on the LAN network. As long as the minimum required security is in place the procedure could be implemented. Ability doesn't provide a ready solution for such use cases though and as such they have to be individually considered.

Can we use these certificates in China?

Yes. The certificates are issued for the devices manufactured around the world and its usage does not depend on the country of issue.