CIP Certificate Management Object

CIP Security Certificate Management Object

All the Common Industrial Protocol™ (CIP) technologies – EtherNet/IP™, CompoNet™, ControlNet™, and DeviceNet™ – are object-based technologies. That means that users interact with CIP devices by interacting with the objects implemented in those devices.

There are three components to a CIP object: Attributes identify the data managed by an object, Services define the actions an object can perform on the request of an external device and Behaviors describe the state of an object as it reacts to service requests and external stimuli.

This article describes the CIP Security Certificate Management object and is the second of three articles on CIP Security objects. The previous article in this series described the CIP Security object and the following article describes the EtherNet/IP Security object. A later article will also describe the changes to the TCP/IP object to support CIP Security.



DESCRIPTION: The Certificate Management object (CMO) is the CIP Security object that manages the X.509 certificates maintained by the device and creates Certificate Signing Requests (CSR). Signing requests are applications to a Certificate Authority for creation of an X.509 certificate. In some commissioning applications, a configuration tool will request the CMO to create a signing request. The CMO stores the request in the File object where it can be read by the configuration tool and used to obtain a certificate from a Certificate Authority local to the application.

INSTANCES: Unlike the other CIP Security objects, there are multiple instances of the CMO. Instance 1 manages the default X.509 certificate while additional instances manage any additional certificates loaded into the device.

CLASS ATTRIBUTES: Object class attributes for the CMO include attributes that contain the number of certificates in the device, the names of each of those certificates and a link to the File object instance where they are stored. Other class attributes include an attribute that describes if the device has support for the PULL or PUSH model of certificate commissioning and the type of certificate encoding that is supported.

INSTANCE ATTRIBUTES: The Certificate Management object supports a number of attributes, three of which are described here: a current State attribute that maintains the object state, a Device Certificate attribute that describes the certificate for the device and a Certificate Authority attribute that describes the certificate for the Certificate Authority.

The current State attribute specifies the state of the instance and can assume one of five values:


When an instance is created, the status is set to Created. When a certificate in the instance is being configured, the state is Configuring. If that certificate is examined and deemed valid, the state becomes Verified. On failing validation, the state becomes Invalid.

The Device Certificate Attribute contains the certificate for the device, and the Certificate Authority attribute contains the certificate for the Certificate Authority. Both attributes are structures that contain a status for that certificate (not validated, valid or invalid) and the link to the File object where the physical certificate is stored.

COMMON SERVICES: The CIP Security object supports several common services including Get Attribute All, Get/Set Single Attribute, Create and Delete. The Create and Delete services are used to create and delete instances of the Certificate Management object.

OBJECT SPECIFIC SERVICES: The CMO also supports two object-specific services: CREATE_CSR and VERIFY_CERTIFICATE. External configuration tools use the Create CSR service to build a Certificate Signing Request that can be used to request a certificate from a local Certificate Authority.  Once a certificate is loaded, the VERIFY_CERTIFICATE service validates a certificate per the rules described by the EtherNet/IP Security object (see next article in this series). The status attribute for the certificate is set to valid or invalid by this service.

BEHAVIORS: The behavior of the CMO object is specified by a state transition diagram. In the case of the CMO, the state diagram is extremely simple. It specifies the transition of a certificate instance from the non-existent state to the valid or invalid state. The result of the VERIFY_CERTIFICATE service sets the certificate status field and transitions the state transition diagram to a valid or invalid state.

To review part one of this three-part series, click here. Stay tuned for the final part of this three-part series on the EtherNet/IP Security Object.