Expert - Security

1.IP ports

1st IP port (HTTPS)

Primary IP port for secure (encrypted) communication.
Default value: 443.
Some reserved ports must not be used!

Create certificate

Select here which type of certificate the device should use:

Setting	Comment
Device creates certificate (with IP address as CN)	The device creates a certificate. When generating the certificate the IP address of the HS/FS is used as Common Name (CN). Generation can be triggered again under /hscert.
Device creates certificate (with configured CN)	The device creates a certificate. When generating the certificate, the text entered in the Common Name (CN) field is used as Common Name (CN). Generation can be triggered again under /hscert.
Load certification onto the device	The option for uploading a certificate has been released. The certificate to be uploaded must be available as a `.pem` file and must not be password-protected. Until a certificate has been uploaded, the device uses a certificate that was created according to the "Device creates certificate (with IP address as CN)” setting.

Common Name (CN)

This text is used if a certificate is to be generated by the HS/FS for this port using the Device creates certificate (with configured CN) option.

2nd IP port (HTTPS)

Like 1st IP port (HTTPS). However, the use of this port is optional.
Standard setting (value): deactivates (8443).

Create certificate

See 1st IP port (HTTPS)

Common Name (CN)

See 1st IP port (HTTPS)

IP port (HTTP, unencrypted)

If this option is activated, a port can be defined for the unencrypted communication via HTTP.
Standard setting (value): deactivates (80)

If this option is used, project and firmware transfers are carried out unencrypted and the HS/FS end points (e.g. lists, archive, debug page, etc.) can be reached via HTTP and the port entered here.

2.Certificate (Root CA)

Validity (in days)

The validity period of the Root certificate can be defined here.
Minimum value: 90 days.
Default value: 3650 days (~ 10 years).

3.Monitoring of certificates

Time (hh:mm)

Defines the time when the validity of the certificate is checked while in operation.
Default value: 00:01.

Generation (days before expiry)

If a certificate created by the HS/FS is only valid for the number of days specified here, a new certificate is created by the HS/FS.
The earliest possible point in time for an automatic regeneration is 90 days before expiry.
Default value: 1st

Important

If a certificate is uploaded to the HS/FS via the web interface (https://HS_IP/hscert), this setting has no no effect on this certificate!

A Status object displays the difference (in days) between the current date and the next validity expiry of a certificate.

Note

If the root certificate is stored in the certificate manager of the system or browser, it must be removed after renewal and the newly created root certificate must be added again!

4.General information

4.1.Managing certificates

You can view all information on the current certificates at https://HS_IP/hscert.
This URL is also used to generate certificates from the HS/FS and/or to upload certificates onto the HS/FS. To retrieve this page, no user details are required; the individual functions demand this however. (See certificate management)

Behaviour during initial start of the HS/FS with firmware 4.7 or higher is described here.

4.2.Supported interfaces

The interfaces listed in the table are available for all configured ports:

Interface	Call
Lists	/hslist
Visu / Menu / Query	/hs
QuadClient / Apps
Certificate management	/hscert
Communication object gateway	/cogw
HSUpload area	/opt
Upload KNX Secure keyring file	/hsknxkeys
Accessing the if-then logic node (Example)	URL can be configured in the project. Standard: /if/
Accessing the Scenes logic node (Example)	URL can be configured in the project. Standard: /scenes/

5.Reserved ports

Important

The following ports are reserved and must not be used:
- range 60000-60009
- 60080
- range 65000-65002