IED Certificate Overview¶
The Industrial Edge Device (IED) runs a gateway that provides UI and API endpoints accessible by browsers and other clients. To ensure secure communication between clients and the gateway, encrypted connections are established. This encryption depends on digital certificates, which must be properly managed on the IED.
NOTICE
For more information refer to Certificates in Industrial Edge.
Managing the Gateway Certificate of an IED¶
During the onboarding process, the Industrial Edge Device (IED) automatically generates a TLS certificate bound to its specific IP address. To establish secure communication, clients (such as browsers or operating systems) must trust this certificate.
Typically, this requires manually importing the generated certificate into the client’s local trust store. To eliminate this manual step and simplify trust management, it is recommended to replace the default certificate with one signed by a trusted Certificate Authority (CA), either:
- Public Certificate Authority (CA)
- Private Enterprise Certificate Authority (CA)
NOTICE
Checkout Manage IED Gateway Certificates for more information on how to replace the default certificate.
Managing the Trust Store of an IED¶
Since the Industrial Edge Device (IED) connects to the Industrial Edge Management (IEM), a trust relationship between the two must be established. This is handled automatically during the IED onboarding process: the IEM includes its root certificate in the onboarding configuration file. The IED then automatically imports this certificate into its local trust store.
Impact of changing the IEMs root certificate
In case the root certificate of the IEM will be changed or updated, the IED will no longer trust and connect to the IEM. To reestablish trust between IEM and IED the new root certificate of the IEM has to be imported into the local trust store of IED again. This can be done manually in the IED UI. Checkout Manage IED Certificate Trust Store fore more details.