First Provisioning; Device Identifier; Certificate Renew - ABB AWT420 Manual
Universal 4-wire, dual-input transmitter
Hide thumbs
Also See for AWT420:
- Commissioning instructions (40 pages) ,
- Operating instruction (110 pages) ,
- Manual (16 pages)
Table of Contents
Advertisement
AW T4 2 0 U N I V E R S A L 4 - W I R E , D U A L- I N P U T T R A N S M I T T E R | C O M/A W T4 2 0/ E T H E R N E T- E N R E V. C
First provisioning
This procedure configures the AWT420 internal HSM to create
self-signed digital certificates that allow secure network
connections to be established. At the end of the provisioning
phase, a self-signed digital certificate is created. This
certificate is sent to the client web browser during the SSL/TLS
message handshake.
Because the certificate created with this procedure is self-
signed, the web browser raises a warning to indicate it is
unable to verify the identity of the AWT420, as the certificate
issuer is unknown. The browser offers the option to view the
digital certificate and to add a security exception, so that it is
subsequently accepted for the next web sessions.
The following table shows some of the information displayed
on the certificate:
Field
Value
Version
V3
Signature algorithm
sha256ECDSA
Signature hash algorithm sha256
Issuer
abb.com <deviceId>, ABB Ltd., UK
Valid from
<certificate creation date>
Valid to
<certificate expiration date>
Subject
AWT420 abb.com, ABB.Ltd., UK
Public key parameters
ECDSA_P256 (the Elliptic Curve Cryptography
curve used to create the private/public key pair)
Table 1 Certificate information
Refer to page 10 for configuration details.
Device identifier
The Device Identifier is a 16-bit value created in the AWT420
device during the first provisioning phase and that remains the
same for the lifetime of the device. The operator can use it to
confirm the device is the expected one. It works as a ̕ t wo-
factor̕ authentication method, because it is locally configured
on the instrument and it is unique to it.
It is responsibility of the operator to make sure that this value is
not available to external parties that may access the device
locally. Also, the operator should check with the web browser
that the Device Identifier reported in the digital certificate is
the same as the one configured locally on the device.
The following screenshot shows an example of a Device
Identifier embedded in a AWT420 digital certificate:
Figure 5 Digital Certificate example
The highlighted item (1161) is the Device Identifier. The same
value is shown in the AWT420 HMI interface.
Certificate renew
The First Provisioning procedure creates a digital certificate
that is valid for 3 years. After this time, the user should create a
new certificate valid for the next 3 years.
To renew the device certificate, select 'Certificate renew' in the
device's HMI. To renew the security exception in the user's web
browser, delete the previous exception (refer to the web
browser documentation for details) and re-connect to the
instrument, adding the exception with the new certificate
data from the instrument.
Refer to page 10 for configuration details.
9
Advertisement
Table of Contents
