Public-key cryptography

Getting started

Security Suite 1 and 2 are using Public-key cryptography.

Get more information from ECDSA keys or secured connections.

This document doesn't explain the idea of Public-key cryptography. It will focus on how to use the certificates from GXDLMSDirector and what you need to do to start using Public-key cryptography.

At first, you need private and public keys for the client application. You can use the pre-installed meter keys if you want to, but it's always a good practice to change them when the new meter is installed.

You can use GXLMSDirector to generate private keys and then use Gurux CertificateGenerator to generate x509 certificate. You need six pairs of keys. Four keys for the client and two public keys for the meter. You need to generate client keys. Meter keys might be pre-generated or you can generate them.

  • Private key agreement key for the client.
  • Private digital signature key for the client.
  • Public key agreement key for the client.
  • Public digital signature key for the client.
  • Public key agreement key from the meter.
  • Public digital signature key from the meter.

Note! DLMS is using ECDSA keys. If you generate example RSA keys communication is not working.

All keys are validated before use. Your keys are invalid if you are receiving Public key validate failed. Public key is not valid ECDSA public key-exception.

Is my meter supporting public and private keys?

Security setup
Before you can increase the security level with the public and private keys you need to verify that your meter is supporting public and private keys.
You can do this if you make a connection to the meter and used Suite from the Security setup object.
If Suite value is GMac and you can't change it, your meter is using Security Suite 0 and Symmetric cryptography. All messages are secure, but it's not so secure as with Public-key cryptography.
You can get more information from symmetric and Public-key cryptography from here:


First you need to check that GXDLMSDirector has certificates for the client application and for the meter. You can check this by selecting "Certificates" -tab from the Security setup-object. If your meter have the certificates and you want to use them, only thing what you need to do is import certificates for the GXDLMSDirector.
This is done by selecting imported certificate from the meter Certificates list and pressing "Export certificate...". Then save certificates for the GXDLMSDirector Certificates folder. You can see imported certificates by selecting "ECDSA Keys" from the "Tools" menu.

Note! You can import only one certificate at the time.

Subject will tell system title of the certificate owner. In this document client system title is 4752580000000000 and meter system title is 4752580000000001. You must install client's certificates for the meter or communication doesn't succeed.

Check the serial number of the certificate if your communication is not working. Some one else might update the certificate or generate a new public/private key.

Setting encryption parameters for the meter

Device settings
When you have correct certificates imported for the GXDLMSDirector you can create a secured connection to the meter. You can create a new meter or use the old one. You need to select "Secured Connections" tab from the device properties.

Then change used security suite to 256 or 384. Used security suite you can see from the Security setup as described in Is my meter supporting public and private keys.
Next you need to change security level. Usually it's AuthenticationEnryption, but this depends from your meter. Next change used schme. You need to select between One-Pass Diffie-Hellman and Static Unified Model.
Difference of those schemes is well documented in NIST documents and I'll don't cover it here.

Set client and meter (server) system title. You can get the meter and client system title from the certificate. Then press "Find"-button. It will update the correct certificates automatically and you don't need to find them.

Note! It's common mistake that some else is updating the new certificate for the server and after that communication is not working. It's good to always compare certificate serial numbers if communication is not working with encrypted communication.

You can get more information from the certificate by pressing "Info..." button.

Now your certificates are installed and you can start to communicate using public key cryptography.

Generating new public and private keys for the GXDLMSDirector

Get certificate
First you need to create private key and then generate public key x509 certificate using the Gurux CertificateGenerator. You can do this if you select "ECDSA keys" from the "Tools" menu.
Select "Private keys" tab. and then you can generate a new private key or add the existing one. You can add existing private key simply pressing "Add"- button or Generate the new private key by pressing "Generate" button.
If you want to generate a new private key, you need to select private key type (256 or 384). Then press Generate-button to generate a new private key. You can see the generated private key in PKCS #8 format.

Private key is saved in PKCS #8 format.

You can see the added private key in the list. Next you need to generate x509 certificate from it. This is done by selecting "Get certificate". You need to select certificate type and give system title that you want to use.
After you have give those press OK button to ask the new certificate from the Gurux CertificateGenerator service and save generated certificate to the file.

Generating new public and private keys for the meter

You can't add generated private keys to the meter. You need to ask meter to generate the private keys. This is done by selecting "Certificates tab from the "Security setup" object. Then press "Key pair...". It will generate a new private key for the meter.

Certificate generator

Next you need to generate a new certificate request. Certificate request is sent to the Gurux Certificate Generator service and a new x509 certificate is generated. Save x509 certificate to the file.

After you have x509 certificate you need to import that to the meter. Press "Import certificate" and select generated certificate. Certificate is now send to the meter and you should see it there when you read certificates again.

You can also generate certificates with OpenSSL.