Securing the communication between the Unit Assistant role and the Certificate Signing role - Security Center 5.11

To secure the communication between the Unit Assistant role and the Certificate Signing role, you must create a trusted certificate for the localhost.

1. Generate the certificate used to secure the communication between these two roles.
   1. In the Windows taskbar, click and enter PowerShell.
   2. In the search result, right-click Windows PowerShell and click Run as administrator.
      The Windows PowerShell window opens.
   3. Enter the command $PSVersionTable to find out the version you are running.
      IMPORTANT: You must have PowerShell version 5.1.17763.2931 or later. If your version is too old, you must run PowerShell on a server that has a supported version installed, generate and export the certificate, and then import it on the server hosting your two roles.
   4. Enter the following command to generate a self-signed certificate.
      Code

      New-SelfSignedCertificate -Type Custom -Subject "CN=SigningPluginSSL, O=Genetec Inc., OU=SigningPluginSSL, C = CA" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1", "2.5.29.17={text}DNS=localhost") -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My"

      

      NOTE: To run this command, first copy the preceding string to Notepad, remove the line breaks, then paste the string without line breaks to the Windows PowerShell window.

      In our sample command, we use SigningPluginSSL as the certificate name. If you prefer a different name, simply replace SigningPluginSSL, found in two places, with the name of your choice.

   5. Close the Windows PowerShell window.
2. Open the Microsoft Management Console.
   • On Windows Server, do the following:
     1. In the Windows taskbar, click and enter mmc.
     2. In the windows that opens, click File > Add/Remove Snap-in.
     3. In the Add or Remove Snap-ins window that opens, click Certificates > Add.
        
     4. In the Certificates snap-in dialog box that opens, click Computer account > Next.
        
     5. Click Finish > OK.

        The Certificate management snap-in is added.

   • On Windows 10, do the following:
     1. In the Windows taskbar, click and enter Certificates.
     2. In the search results, click Manage computer certificates.
3. In the left pane of the Microsoft Management Console window, expand Personal and click Certificates.
4. In the right pane of the window, right-click the certificate you created (SigningPluginSSL) and click Copy.
   
5. In the left pane of the window, expand Trusted Root Certification Authorities and click Certificates.
6. Right-click Certificates and then click Paste.
   
7. Open Server Admin, and in the left pane, click the name of your server.
8. In the Secure communication section, click Select certificate.
9. In the dialog box that opens, click the certificate you created earlier (SigningPluginSSL) and click Select.
   
10. Click Save > Yes and close Server Admin
11. If you have more than one server assigned to the Unit Assistant role, repeat the same process on the other servers.