Wi-SUN module identity |

The XBee for Wi-SUN comes with its own unique, factory-set Initial Device Identifier (IDevID). The IDevID consists of a private key and a public certificate, both of which are used in authenticating and securing connections with other nodes on the Wi-SUN network.

The private key is immutable and is wrapped in the secure element, such that it can never be read from the module. The public certificate, also saved on the module in the factory, does not have the same level of protection as the private key.

If you wish to deploy your own security certificates and keys onto the module, you can configure the XBee for Wi-SUN to use the Locally significant Device Identifier (LDevID) instead of the IDevID. You can also load a customer CA certificate chain, depending on your configuration needs. The Digi certificate authority (CA) certificate is known to both the XBee modules and the Digi Border Routers, which authorizes joining the Wi-SUN network.

Load user certificates onto the module

You can load any of the following PEM-formatted files onto the module:

private_key.pem: contains the customer’s private key; part of the LDevID.
public_cert.pem: contains the customer’s public certificate; part of the LDevID.
ca_certs.pem: used to verify the identity of the border router; customer CA certificate chain.

Private keys and public certificates must be changed in pairs. For example, if you load a custom private key, you must load a custom public certificate as well.

To load these files onto the module, use the following steps:

Place each file into the /flash/cert/ directory.

The files must be named as specified above to ensure proper detection.
Once the file(s) are in the directory, issue a UC (Load Certificates) command to prompt the module to validate and load the certificates onto the module.
- The private key is encrypted by the secure element so it cannot be read from any FLASH or RAM address.
- The other certificates are considered public and can be extracted from FLASH.

For security reasons, all three files will be deleted after the successful execution of the UC command to prevent unauthorized access to the private key. Additionally, if these files are detected during bootup, they will also be removed.

LDevID options

User certificate options are set up by the DO (Device Options) command using bits 1 and 2. (Bit 0 is used to show extended join status messages.) In this description, bit 0 is 0.

DO bits 1 and 2	Behavior
0 (0x00)	If user certificates are loaded, use customer device identity and trust only customer CA. Otherwise, use factory identity and Digi CA.
1 (0x02)	Use device identity, trust any customer CA.
2 (0x04)	Use device identity, trust Digi, and any customer CA.
3 (0x06)	Use customer identity, trust Digi, and any customer CA.

DO bits 1 and 2

Behavior

0 (0x00)

If user certificates are loaded, use customer device identity and trust only customer CA. Otherwise, use factory identity and Digi CA.

1 (0x02)

Use device identity, trust any customer CA.

2 (0x04)

Use device identity, trust Digi, and any customer CA.

3 (0x06)

Use customer identity, trust Digi, and any customer CA.

To support these options, the customer may load the device identity, the CA certificate chain, or both.

Remove user certificates from the module

User certificates can be removed by issuing the XC (Clear Certificates) command. If the user certificates are removed, the module will default to using the factory certificates instead.