Configuring the Unit Assistant role for certificate management - Security Center 5.11

Before the Unit Assistant role can effectively manage unit certificates, you must configure the certificate management settings and the certificate profile.

1. Log on to Security Center with the Config Tool installed on the server hosting the Unit Assistant role.
2. From the Config Tool homepage, open the System task and click the Roles view.
3. Select the Unit Assistant role and click the Properties tab.
4. In the Security section, configure the Certificate management settings.

   Security policies

   Allow renewal of expired certificates

   This setting is on by default. It allows the system to automatically renew unit certificates even when they are expired. If you do not want the system to renew certificates that are expired, turn this setting off. You can always manually renew unit certificates from the Hardware inventory task.

   Enable HTTPS on units after successful certificate installation

   Enable this setting to force the unit to switch to HTTPS after the certificate is successfully installed. The HTTPS ports configured in Security Center for the units might change during the process when the Unit Assistant can detect the correct port.

   Notifications

   Specify, in days, when you want the system to send a notification before the certificate expires.

   Certificate information

   Validity period

   Specify, in days, weeks, months, or years, the validity period of the renewed certificate. The maximum value is defined in your certificate profile that is configured in the Credential profile page of the Unit Assistant role.

   Show advanced

   Click this button to show the optional properties you can assign to the certificates. Country, State, Locality, Organization, and Organizational unit serve to identify a certificate as being issued for your organization.

5. In the Public key infrastructure section, click Set custom endpoint and enter in the Endpoint field, the URL of your certificate authority (CA).
   NOTE: For Security Center 5.11, the CA is the Certificate Signing role.
6. Click Apply.
7. Restart the Unit Assistant role.
   1. In the left pane, right-click Unit Assistant and then click Maintenance > Deactivate role.
   2. After the role turned red, right-click Unit Assistant and then click Maintenance > Activate role.
8. Click Certificate profile to configure the policies and the limits imposed on certificate requests applied by the CA.

   Allowed domain name

   Must match your network domain name. Leave it blank if you do not want to include the domain name in the certificates.

   Allowed IPv4 range

   Enter the IPv4 range of the units you expect to connect to on your network. Leave it blank if you do not want the units to use IPv4.

   Allowed IPv6 range

   Enter the IPv6 range of the units you expect to connect to on your network. Leave it blank if you do not want the units to use IPv6.

   Maximum validity period

   Enter the maximum validity period that can be set when renewing a certificate. Select one of the predefined value or enter a custom value. The syntax of the custom value is P[xY][yM][zD], where x, y, z are the number of years, months, and days, respectively. Any portion in brackets can be omitted.

   Examples:

   "P1Y3M10D" corresponds to 1 year, 3 months, and 10 days.

   "P90D" corresponds to 90 days.

9. Click Apply.
10. Select the certificate-related health events that you want to monitor.
    The certificate-related health events that you can monitor are:

    Certificate warning

    The certificate is about to expire.

    Certificate error

    There is an error that makes communications with the unit insecure.

    Certificate valid

    The status of the certificate returned to valid after being in error or warning.

    These events are found under the Access control unit group and the Video unit group.

    Best Practice: We strongly suggest that you create event-to-actions to inform your system administrator when certificate-related issues occur.