You can configure Security Center to
automatically renew the unit certificates when they are about to expire, using the Renew unit
certificate action through a scheduled task.
What you should know
You need the
Update access control unit certificate,
Update video unit
certificate and
Modify certificate management settings privileges to configure
the
Renew unit certificate action. This action is executed by the Unit Assistant role
and is only available through scheduled tasks, not through event-to-actions. The Unit
Assistant role checks the certificate expiration date of the selected units and renews the
ones that will expire within the configured time frame.
NOTE: If you cleared the
Allow renewal of expired certificates option, the Unit Assistant
will not renew certificates that are already expired.
Procedure
-
Create a scheduled task.
The
Recurrence of the scheduled task is how frequently you want
the system to check the certificate expiration dates. We strongly recommend using a daily
recurrence to avoid missing any certificate renewal deadline. The system only renews
certificates that are about to expire, based on the value of
days before
expiration defined later.
CAUTION:
Changing a unit certificate causes a short recording interruption, so choose a time of day
that minimizes disruption to your operations.
Make sure you do not change the
certificate and the password on the same units at the same time.
-
From the Action list, select Renew unit
certificates.
-
In the days before expiration field, specify how soon you want
to renew a certificate before it expires.
This value should be greater than the number of days the system sends the notification
(Certificate warning) before a certificate expires. As a rule of thumb, if your
certificates are valid for one year, renew your certificates one month before they expire,
and send the warning 28 days before they expire.
-
Specify the source information the certificates are based on.
Beside
Certificate information, select one of the following:
- Inherit from Unit Assistant
- Use the information configured in the Unit Assistant role's
Properties page.
- Custom
- Enter specific information for this scheduled task.
- Validity period
- This value is a CA setting. It can only be changed from the Unit Assistant
role's Certificate profile page.
- Show advanced
- Click this button to show the optional properties, such as Country,
State, Locality, and so on, that you can override here.
-
Select the units that are considered for certificate renewal.
Beside
Entities, select one of the following:
- All units
- Consider all units in your system.
- Custom
- Select individual or groups of units that should be evaluated. Use this option if
you want to assign different time slots to units found in different time zones. The
scheduled task follows the time zone of your Directory server. If you select an
area, all units within that area are selected.
Best Practice: We recommend
that you do not exceed 100 access control units or 1,000 video units per batch. If
your system has more units than the recommended maximum per batch, divide them
into small batches and create separate scheduled tasks running at a different time
for each. Make sure the different scheduled tasks do not overlap. As a general
rule, allow 15 minutes between batches.
-
Click Apply.
NOTE: After your system installs a
certificate on a unit, you should no longer use any third-party tool to update the
certificate.
After you finish
After the certificates of all Axis units under a given Archiver role are managed by
Security Center, turn off the
Advanced
security settings in the Axis extension for that Archiver role to close all
potential security holes.
NOTE: If your system is using IP addresses for cameras and you want to transition to
hostnames, you need to turn on the Allow certificates with an invalid subject
name option during the transition period. This is because the certificates
only have a common name containing an IP address and they become invalid when a hostname is
added to the unit configuration in Config Tool.