Servers that use PushManagement (see 7.4) to initialize their configuration shall have a default Certificate assigned before the PushManagement process can start.

In addition, Servers shall go into a “setup state” that makes it possible for remote Clients to update the security configuration via the ServerConfiguration Object (see 7.10.2). When a Server is in the “setup state” it should limit the available functionality.

Once a Server has been configured it automatically leaves the “setup state”. This step is necessary to ensure that security is not compromised.

A possible workflow for implementing the “setup state” is:

  1. A flag in the configuration file that defaults to ON;
  2. Always allow Clients to connect securely if the TrustList is empty;
  3. Connect to the Server after toggling a physical switch on the device which enables access for a short period.

  1. Provide a new Certificate and Trust List;
  2. Set the configuration flag to OFF;

Subsequent updates to TrustLists or Certificates can be allowed if the Client has a trusted Certificate and valid administrator credentials.

In some cases, the Application distributor or installer will know the CA used to sign the Certificate used by the CertificateManager and can add this CA to the Application’s TrustList during installation. If practical, this approach provides the best protection against accidental configuration by malicious Clients.

If the device is automatically discovered by the CertificateManager the CertificateManager needs some way to ensure that the device belongs on the network. The manufacturer can provide a unique ApplicationInstance Certificate during manufacture and provide the serial numbers to the device installer. The installer would then register the serial number or Certificate with the CertificateManager. When the CertificateManager discovers the device it would check that the Certificate is for one of the pre-authorized devices and continue with automatic onboarding of the device.