Skip to main content

Wi-SUN FAN Configuration Guide

This guide provides a step-by-step procedure for configuring OTPKI to issue certificates that conform to the Wi-SUN (Wireless Smart Utility Network) FAN (Field Area Network) 1.1 open standard. Wi-SUN FAN is an IPv6-based wireless mesh technology designed for massive scale IoT networks, smart cities, and utilities.

Configuring OTPKI to support the Wi-SUN FAN 1.1 profile requires strict adherence to specific cryptographic standards and X.509 v3 extension requirements. Wi-SUN relies heavily on IEEE 802.1AR Secure Device Identifiers (DevID), typically IDevID (Initial Device Identity) or LDevID (Local Device Identity), authenticated via EAP-TLS over 802.1X.

Cryptographic Key Requirements for Wi-SUN FAN

Each Wi-SUN device requires a unique per-device x509v3 certificate, and these certificates must abide by the following constraints:

x509 ExtensionValue / Constraint
versionv3
serialNumbermust be unique, prefeably at least 16 hex bytes
issuersubject copied from the issuer's CA certificate
notBeforeissuance date and time in UTC using GeneralizedTime
notAfter99991232235959Z in GeneralizedTime
subjectsubject MAY be empty, as the device identity is contained in the SAN extension
subjectPublicKeyInfoid-ecPublicKey, namedCurve secp256r1
signatureAlgorithmecdsa-with-SHA256
keyUsagedigitalSignature (MUST), keyAgreement (MAY)
extendedKeyUsageclientAuth, id-kp-wisun-fan-device
authorityIdentifiersolely the keyIdentifier of the issuer
subjectAltNameid-on-hardwareModuleName

Create an Issuance CA

For the purposes of this guide, follow the 3-Tier PKI Tree Guide to create a Root CA, Policy CA, and Issuing CA. This is the recommended starting point for a Wi-SUN FAN deployment. If you already have a PKI hierarchy in place, you can use that as an alternative. Either approach results in an active Issuing CA that can be associated with the End-Entity profile created in the next step.

Create the Wi-SUN FAN End-Entity Certificate Profile

Navigate to ProfilesCertificate Profiles and click Create. Configure each section below to produce certificates that conform to the Wi-SUN FAN 1.1 requirements shown in the table at the top of this guide.

Basic Settings

FieldValue
NameWi-SUN FAN 1.1 Device Profile
DescriptionEnd-entity profile for Wi-SUN FAN 1.1 IDevID / LDevID certificates
Certificate TypeEnd Entity
Available CAs(select your Issuing CA, or leave blank to allow any CA)

Basic Constraints

Leave the Include checkbox unchecked. End-entity certificates must not assert the CA basic constraint.

Validity Settings

Wi-SUN FAN 1.1 requires that device certificates carry a notAfter value of 99991231235959Z — effectively "no expiry".

FieldValue
No Expiry✅ Checked
warning

The 99991231235959Z value is a Wi-SUN FAN 1.1 specification requirement (Section 6.3.2). Do not use a standard duration for this profile. According to RFC5280, to indicate that a certificate has no well-defined expiration date, the notAfter SHOULD be assigned the GeneralizedTime value of 99991231235959Z. OTPKI achieves this with the No Expiry checkbox.

Signature & Key Settings

The standard mandates ECDSA with SHA-256 over the secp256r1 (P-256) curve.

FieldValue
Available Key AlgorithmECDSA_P256
Signature AlgorithmECDSA_WITH_SHA256

Key Identifiers

FieldValue
Include SKI✅ Checked
Include AKI✅ Checked
tip

The Wi-SUN FAN specification requires the AKI to contain solely the keyIdentifier of the issuer, with no authorityCertIssuer or authorityCertSerialNumber fields. Ensure your AKI configuration does not include those optional fields.

Key Usage

FieldValue
Digital Signature✅ Checked (MUST)
Key Agreement☐ Optional — check if the device also performs ECDH key exchange
Critical✅ Checked

Extended Key Usage

Wi-SUN FAN requires two EKU OIDs:

OIDDescription
1.3.6.1.5.5.7.3.2id-kp-clientAuth
1.3.6.1.4.1.45605.1id-kp-wisun-fan-device

In OTPKI, select clientAuth from the standard EKU list. For the Wi-SUN-specific OID, use the Custom Certificate Extensions section to add 1.3.6.1.4.1.45605.1 if it is not listed as a built-in EKU option.

Alternative Names (SAN)

Wi-SUN FAN devices carry their identity in the SAN rather than the Subject DN.

FieldValue
SAN TypeOtherName
OtherName OID1.3.6.1.5.5.7.8.4 (id-on-hardwareModuleName)

The id-on-hardwareModuleName structure encodes the device's hardware module type OID and serial number. Consult your device manufacturer's documentation for the exact values.

note

Because the device identity is carried in the SAN, the Subject DN may be empty per the Wi-SUN FAN 1.1 specification. If your enrollment flow produces an empty subject, ensure your issuance request does not require a non-empty Common Name.

Revocation Settings

Configure the CDP (CRL Distribution Point) to point to the published CRL endpoint for your Issuing CA. This is required for devices and network infrastructure to perform certificate status checking.

Summary of Profile Settings

Profile SectionConfiguration
Certificate TypeEnd Entity
Basic ConstraintsNot included
Validity99991231235959Z
SubjectMAY be empty
Subject Public KeyECDSA secp256r1
Signature Algorithmecdsa-with-SHA256
Key UsagedigitalSignature (MUST), keyAgreement (MAY); Critical
Extended Key UsageclientAuth, id-kp-wisun-fan-device
AKIkeyIdentifier only
SKIIncluded
SANid-on-hardwareModuleName (OtherName)

Click Create Certificate Profile to create the profile.