Configuring the Unit Assistant role for certificate management - Security Center 5.12

Security Center Administrator Guide 5.12

Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
Language
English
Last updated
2024-09-13

Before the Unit Assistant role can effectively manage unit certificates, you must configure the certificate management settings and the certificate profile.

Procedure

  1. Log on to Security Center with the Config Tool installed on the server hosting the Unit Assistant role.
  2. From the Config Tool homepage, open the System task and click the Roles view.
  3. Select the Unit Assistant role and click the Properties tab.
  4. In the Security section, configure the Certificate management settings.
    Security policies
    Allow renewal of expired certificates
    Turn on this setting (on by default) to allow the system to renew unit certificates automatically, even after they are expired. If you do not want expired certificates to be automatically renewed, turn off this setting. You can always manually renew expired certificates from the Hardware inventory task.
    Enable HTTPS on units after successful certificate installation
    Turn on this setting (on by default) to force the unit to switch to HTTPS after the certificate is successfully installed. The HTTPS ports configured in Security Center for the units might change during the process if the Unit Assistant can detect the correct port.
    Notifications
    Specify, in days, how soon you want the system to trigger a warning before a certificate expires (default = 7 days).

    If you configured your system to automatically renew certificates X days before they expire, set this value to X minus N, where N is the number of days you give the system to try to automatically renew a certificate before issuing a warning. Also be sure to give yourself enough time to investigate why a certificate was not renewed after you received the warning.

    Certificate information
    Validity period
    This is the validity period of a certificate after a renewal. This value is inherited from the CA. It can only be modified from the Certificate profile page.
    Show advanced
    Click this button to show the optional properties that you can assign to certificates created by your system. The Country, State, Locality, Organization, and Organizational unit help you identify certificates issued for your organization. These values can be overwritten on specific certificate renewals.
  5. In the Public key infrastructure section, click Set custom endpoint.
  6. In the Endpoint field, enter the URL of your certificate authority (CA).
    NOTE: For Security Center 5.12, the CA is the Certificate Signing role.
    The syntax of the URL is as follows:
    Code
    https://hostname:port/management
    where hostname is the hostname or IP address of the server hosting the Certificate Signing role, and port is the port number configured in the Properties page of the Certificate Signing role. Make sure the server hosting the Unit Assistant role can access this URL.
    IMPORTANT: To simplify the failover configuration, the URL is set by default to https://localhost:port/management. This assumes that both the Unit Assistant role and the Certificate Signing role are always hosted on the same server. If you choose to host the two roles on separate servers, then when a failover occurs, you must manually change the value of the URL here and restart the Unit Assistant role.
  7. Click Apply.
  8. Restart the Unit Assistant role for the change to the Endpoint URL to take effect.
    1. In the left pane, right-click Unit Assistant and then click Maintenance > Deactivate role.
    2. After the role turned red, right-click Unit Assistant and then click Maintenance > Activate role.
  9. Click Certificate profile to configure the policies and the limits imposed on certificate requests applied by the CA.
    Allowed domain name
    Must match your network domain name. Leave it blank if you do not want to include the domain name in the certificates.
    Allowed IPv4 range
    Enter the IPv4 range of the units you expect to connect to on your network. Leave it blank if you do not want the units to use IPv4.

    The IP range must follow the CIDR convention. All units must be found within this range of IP addresses. We do not support discrete ranges of IP addresses.

    Allowed IPv6 range
    Enter the IPv6 range of the units you expect to connect to on your network. Leave it blank if you do not want the units to use IPv6.

    The IP range must follow the CIDR convention. All units must be found within this range of IP addresses. We do not support discrete ranges of IP addresses.

    Validity period
    Specify, in days or months, the validity period of the renewed certificates according to your security policies. We recommend a period between six months and one year.
  10. Click Apply.
  11. Restart the Unit Assistant role for the changes to the Certificate profile page to take effect.
  12. Select the certificate-related health events that you want to monitor.
    The certificate-related health events that you can monitor are:
    Certificate warning
    The certificate is about to expire.
    Certificate error
    There’s an error that makes communications with the unit insecure.
    Certificate valid
    The status of the certificate returned to valid after being in error or warning.
    These events are found under the Access control unit group and the Video unit group.
    Best Practice: We strongly suggest that you create event-to-actions to inform your system administrator when certificate-related issues occur.

After you finish

If you must change any of these settings later, do it when the Unit Assistant role is not updating any certificate.
IMPORTANT: If you change the communication port of the CA (Certificate Signing role), you must restart the Unit Assistant role for the change to take effect. If you change to a new CA, any unit that has its certificate signed by the old CA must be renewed as soon as possible. Otherwise, when you move your unit to a new role, the unit might stop working because the old CA's root certificate isn’t deployed on the server hosting the new role.

Also note that the root certificate of the old CA isn’t automatically removed when it’s no longer in use. If required, after all unit certificates have been renewed, you can manually remove it from the Windows Certificate Store.