How Wi-SUN Security Works

Creating and Using Wi-SUN Certificates with Digi XBee Devices

Overview

Wi-SUN networks use a certificate-based security model to authenticate devices joining the network. When using Digi XBee devices in a Wi-SUN deployment, each node must be provisioned with valid credentials to securely connect to a Wi-SUN Border Router.

This article provides an overview of how Wi-SUN certificates work and how they are used in a Digi XBee-based system.

How Wi-SUN Security Works

Wi-SUN networks use EAP-TLS (Extensible Authentication Protocol – Transport Layer Security) to authenticate devices. This requires each device to present a valid X.509 certificate that is trusted by the network.

During the join process:

• The device presents its certificate to the Border Router

• The Border Router validates it against a trusted Certificate Authority (CA)

• A secure session is established using TLS

Certificate Components

A typical Wi-SUN deployment with Digi XBee devices requires the following:

• Root CA Certificate
  Establishes trust for the entire network

• Border Router Certificate
  Identifies the network gateway

• Device Certificate (XBee module)
  Unique identity for each XBee device

Each XBee device must also store:

• Its private key

• The CA certificate used to validate the network

Certificate Requirements

Wi-SUN certificates must meet the following general requirements:

• Based on X.509 v3 format

• Use ECDSA with P-256 curve

• Include required Wi-SUN FAN fields and extensions

• Contain a unique identifier per device

These requirements ensure compatibility with Wi-SUN certified networks.

General Workflow for Certificate Creation

While the exact implementation may vary, the process typically includes:

1. Create a Root Certificate Authority (CA)
   This serves as the trust anchor for your network

2. Generate keys and certificate requests

   • One for the Border Router

   • One for each XBee device

3. Sign certificates using the Root CA
   This establishes trust between devices and the network

4. Assign unique identities to each device
   Each XBee must have its own certificate

5. Provision certificates and keys onto devices
   This step is required before devices can join the network

Integrating Certificates with Digi XBee Devices

When using Digi XBee devices:

• Certificates and keys are typically loaded during provisioning

• This may be done using:

  • Manufacturing tools

  • Custom scripts

  • Secure provisioning workflows

The Border Router must also be configured with:

• Its own certificate and key

• The same Root CA certificate used to sign device certificates

Deployment Considerations

When designing a Wi-SUN network with Digi XBee:

• Ensure all devices share a common trust chain (same CA)

• Use unique certificates per device (do not reuse certificates)

• Protect private keys during manufacturing and deployment

• Plan for certificate lifecycle management (renewal, revocation)

Common Issues

• Device fails to join network
  → Certificate not signed by trusted CA

• Authentication failure
  → Mismatch between device and Border Router trust chain

• Provisioning errors
  → Missing private key or incorrect certificate format

Best Practices

• Use a dedicated CA for your deployment

• Automate certificate generation for large-scale deployments

• Store private keys securely and avoid exposing them in firmware

• Validate certificates before deployment

• Keep a record of issued certificates for troubleshooting

Summary

Wi-SUN networks rely on certificate-based authentication to ensure secure communication. When integrating Digi XBee devices, proper generation, management, and provisioning of certificates is essential for successful network operation.

By establishing a consistent certificate workflow and maintaining control of your trust chain, you can deploy secure and scalable Wi-SUN networks using Digi XBee modules.