Unit certificate management is the feature that you need when you wish to deploy trusted certificates on your units from a central location. The Unit Assistant role is responsible for managing the certificates and requires the Certificate Signing role to be its certificate authority (CA).
With the Unit Assistant role, you can configure Security Center to install trusted identity certificates on your access control and video units, and automatically renew them when they are about to expire.
- Install the certificate authority (CA)'s root
certificate on the servers hosting the Archiver and the Access Manager roles. This
ensures that these servers trust the certificates signed by this CA.NOTE: The job of the CA is handled by the Certificate Signing plugin role. The plugin package is installed by default when you install Security Center, but the plugin role is not created by default. You must create the plugin role if you want to enable unit certificate management in your system.
- Install certificates signed by the trusted CA on selected access control and video
units to encrypt communications between Security Center and the units.NOTE: It is the role that connects to the units. In this context, the role is the client and the units are the servers. For this reason, the certificates installed on the units are called server certificates.
After a certificate is successfully installed on a unit, the unit automatically switches from HTTP to HTTPS by default, and from RTSP to RTSPS if the unit supports it. From that point on, the system manages the unit certificate.
You can perform all certificate deployment operations through the Hardware inventory task and scheduled tasks. You need special privileges to perform these operations.
Supported certificate deployment operations
| Operation | Required privileges |
|---|---|
| Manually install or renew certificates on selected access control and video
units with the Hardware inventory task. You can renew certificates unit by unit or in batches. |
Update access control unit certificate
Update video unit certificate |
| Automatically renew certificates using the Renew unit certificates action through scheduled tasks. |
Update access control unit certificate
Update video unit certificate Modify certificate management settings |
| Configure the system settings for certificate management in Config Tool. You can configure the settings such as when to send a notification when a certificate is about to expire and the certificate validity period. You can also change the certificate profile followed by the CA from Config Tool. |
Modify certificate management settings |
Supported access control unit models
- Cloud Link Roadrunner
- Synergis Cloud Link
- Legacy Synergis Cloud Link running Synergis Softwire 11.2 or later
Supported video unit models
Only certain models of video units support the certificate management feature. You might have to upgrade the unit firmware for this feature to work. For the list of manufacturers that support this feature, see Manufacturers that support certificate management.Best practices for unit certificate management
- Monitor unit certificate status and update results with the Hardware
inventory task.
You can save the report as a public task and monitor the results in the dashboard. For more information, see Creating a dashboard.
- Track certificates updated manually with the Activity trails
task.
Only manual certificate renewals are tracked as user activities. Certificates renewed automatically through scheduled tasks are not tracked in the Activity trails report.
- Changing a unit certificate causes a short recording interruption, so choose a time of day that minimizes disruption to your operations.
- Make sure you do not change the certificate and the password on the same units at the same time.
- When automatically renewing certificates, do not exceed 100 access control units or 1,000 video units per batch.
Limitation
- The Unit Assistant GUI might become unresponsive for several minutes if one of the components involved in certificate signing (Directory, Unit Assistant, Certificate Signing) fails over to their secondary server while the Unit Assistant is performing a large batch of certificate updates.
- When a certificate generated by Security Center expires, the unit (access control or video) continues to operate normally until the next time it reconnects. The unit might take up to 10 hours to display the expired certificate warning status.
- A supported Synergis™ unit cannot be updated if
its current self-signed certificate is generated from the Synergis™ Appliance Portal.
If you ask the system to update the certificate for such a unit, you get the error message
Failed to generate certificate signing request. As a workaround, go to the Properties page of the Synergis unit in Config Tool, and click Reset trusted certificate.
Watch this video to learn more. Click the Captions icon (CC) to turn on video captions in one of the available languages.