cc408219-d8ac-4593-901a-8b7a749b317d
BACnet/SC Hub onboarding — for installers configuring field controllers
Hub hostname
BACnet/SC URL
Organization
cc408219-d8ac-4593-901a-8b7a749b317d
1. Download & trust the organization root CA
Every device that connects to this hub must trust your organization's
private root certificate. Download it and install it in the controller's
trust store before commissioning.
Download root CA (PEM)
Revocation list (CRL): https://gui.infincx.com/api/bacnet-crl/cc408219-d8ac-4593-901a-8b7a749b317d
2. Issue a device operational certificate
No onboarding token detected. Ask your IT administrator to generate an
onboarding link from the infinCX admin panel (BACnet → Hub → Generate Onboarding Link)
and share it with you. Open that URL on this device to proceed.
Alternatively, issue certificates manually from the infinCX GUI:
- Open the BACnet Certificates panel in the infinCX GUI.
- Click Issue Operational Certificate (or paste the device CSR).
- Download the resulting bundle (cert, chain, optional key).
- Load the cert + chain + private key into the controller's BACnet/SC config.
3. Configure the controller
Use these values in the BACnet/SC configuration of each controller:
Primary Hub URI :
Failover URI : (leave blank or set to a redundant hub)
Trust Anchor : (the root CA PEM you downloaded above)
Operational Cert: (the device cert from step 2)
4. Verify the connection
Once the controller is committed, this hub's status endpoint will show it as connected:
curl https://hub-host/status
Troubleshooting
- TLS handshake failure — controller doesn't trust the root CA. Re-install the trust anchor.
- Certificate revoked — re-issue from the BACnet Certificates panel.
- Connection refused — confirm the controller can reach
hub-host:30443 (TCP) outbound.
This page is served by the hub itself over a Let's Encrypt-issued public certificate.
Device traffic uses your organization's private CA on port 30443 (mTLS, end-to-end).