Preventing compromised certificates from being used in your system - Security Center 5.11

Security Center Administrator Guide 5.11

Product
Security Center
Content type
Guides > Administrator guides
Version
5.11
Language
English
Last updated
2024-07-05

If you suspect that a fusion stream encryption certificate has been compromised, you can prevent that certificate from being used to access your encrypted video by removing it from the Archiver and deleting all key streams that were generated with that certificate.

Before you begin

IMPORTANT: Ensure that all archiving roles are online. These include Archiver, Auxiliary Archiver, and Cloud Playback roles. Key streams cannot be deleted if any archiving role associated with an encrypted camera is offline.

What you should know

The encryption certificate contains a private key that allows the client machine to query the Archiver for encrypted data, and to decrypt the key stream and data when they are received. For more information, see How does fusion stream encryption work?
CAUTION:
If you remove the last certificate used to encrypt a camera from the Archiver, the camera ceases to be encrypted and all future data from that camera becomes accessible to all machines in your system. However, data that was previously encrypted remains encrypted.

Procedure

  1. From the Config Tool homepage, open the Video task and click the Roles and units view.
  2. Do one of the following:
    • If encryption is configured at the Archiver level, select the Archiver and click the Camera default settings tab.
    • If encryption is configured at the camera level, select the camera and click the Recording tab.
  3. From the Certificates list, select the compromised certificate, and click Remove the item ().
    NOTE: You cannot enable In transit and at rest encryption if there are no configured certificates.
  4. Click Apply.
  5. In the message box that appears, do one of the following:
    • Click Yes to delete the selected certificate and the associated key streams (client-specific key streams).

      This option is highly recommended if your certificate has been compromised. It prevents client machines from accessing any encrypted data with the associated certificate.

      CAUTION:
      If you remove the only certificate used to generate key streams, you will permanently loose access to the encrypted data.
    • Click No to only delete the selected certificate from the Archiver, not the associated key streams.

      This option stops video encryption with the selected certificate. New video cannot be decrypted with the compromised certificate. However, all data that was encrypted before removing this certificate remains available to client machines that have the certificate installed.

  6. Click Apply.