Configuring Security Center to renew unit certificates automatically - Security Center 5.12

Security Center Administrator Guide 5.12

Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
Language
English
Last updated
2024-09-13

You can configure Security Center to automatically renew the unit certificates when they are about to expire, using the Renew unit certificate action through a scheduled task.

What you should know

You need the Update access control unit certificate, Update video unit certificate and Modify certificate management settings privileges to configure the Renew unit certificate action. This action is executed by the Unit Assistant role and is only available through scheduled tasks, not through event-to-actions. The Unit Assistant role checks the certificate expiration date of the selected units and renews the ones that will expire within the configured time frame.
NOTE: If you cleared the Allow renewal of expired certificates option, the Unit Assistant will not renew certificates that are already expired.

Procedure

  1. Create a scheduled task.
    The Recurrence of the scheduled task is how frequently you want the system to check the certificate expiration dates. We strongly recommend using a daily recurrence to avoid missing any certificate renewal deadline. The system only renews certificates that are about to expire, based on the value of days before expiration defined later.
    CAUTION:
    Changing a unit certificate causes a short recording interruption, so choose a time of day that minimizes disruption to your operations. Make sure you do not change the certificate and the password on the same units at the same time.
  2. From the Action list, select Renew unit certificates.
  3. In the days before expiration field, specify how soon you want to renew a certificate before it expires.
    This value should be greater than the number of days the system sends the notification (Certificate warning) before a certificate expires. As a rule of thumb, if your certificates are valid for one year, renew your certificates one month before they expire, and send the warning 28 days before they expire.
  4. Specify the source information the certificates are based on.
    Beside Certificate information, select one of the following:
    Inherit from Unit Assistant
    Use the information configured in the Unit Assistant role's Properties page.
    Custom
    Enter specific information for this scheduled task.
    Validity period
    This value is a CA setting. It can only be changed from the Unit Assistant role's Certificate profile page.
    Show advanced
    Click this button to show the optional properties, such as Country, State, Locality, and so on, that you can override here.
  5. Select the units that are considered for certificate renewal.
    Beside Entities, select one of the following:
    All units
    Consider all units in your system.
    Custom
    Select individual or groups of units that should be evaluated. Use this option if you want to assign different time slots to units found in different time zones. The scheduled task follows the time zone of your Directory server. If you select an area, all units within that area are selected.
    Best Practice: We recommend that you do not exceed 100 access control units or 1,000 video units per batch. If your system has more units than the recommended maximum per batch, divide them into small batches and create separate scheduled tasks running at a different time for each. Make sure the different scheduled tasks do not overlap. As a general rule, allow 15 minutes between batches.
  6. Click Apply.
    NOTE: After your system installs a certificate on a unit, you should no longer use any third-party tool to update the certificate.

After you finish

After the certificates of all Axis units under a given Archiver role are managed by Security Center, turn off the Advanced security settings in the Axis extension for that Archiver role to close all potential security holes.
Advanced security settings found in the Archiver role's Axis extension.
NOTE: If your system is using IP addresses for cameras and you want to transition to hostnames, you need to turn on the Allow certificates with an invalid subject name option during the transition period. This is because the certificates only have a common name containing an IP address and they become invalid when a hostname is added to the unit configuration in Config Tool.