Before the Unit Assistant role can effectively manage unit certificates, you must configure the certificate management settings and the certificate profile.
Before you begin
Procedure
- Log on to Security Center with the Config Tool installed on the server hosting the Unit Assistant role.
- From the Config Tool homepage, open the System task and click the Roles view.
- Select the Unit Assistant role and click the Properties tab.
-
In the Security section, configure the Certificate
management settings.
- Security policies
-
- Allow renewal of expired certificates
- Turn on this setting (on by default) to allow the system to renew unit certificates automatically, even after they are expired. If you do not want expired certificates to be automatically renewed, turn off this setting. You can always manually renew expired certificates from the Hardware inventory task.
- Enable HTTPS on units after successful certificate installation
- Turn on this setting (on by default) to force the unit to switch to HTTPS after the certificate is successfully installed. The HTTPS ports configured in Security Center for the units might change during the process if the Unit Assistant can detect the correct port.
- Notifications
- Specify, in days, how soon you want the system to trigger a warning before a
certificate expires (default = 7 days).
If you configured your system to automatically renew certificates X days before they expire, set this value to X minus N, where N is the number of days you give the system to try to automatically renew a certificate before issuing a warning. Also be sure to give yourself enough time to investigate why a certificate was not renewed after you received the warning.
- Certificate information
-
- Validity period
- This is the validity period of a certificate after a renewal. This value is inherited from the CA. It can only be modified from the Certificate profile page.
- Show advanced
- Click this button to show the optional properties that you can assign to certificates created by your system. The Country, State, Locality, Organization, and Organizational unit help you identify certificates issued for your organization. These values can be overwritten on specific certificate renewals.
- In the Public key infrastructure section, click Set custom endpoint.
-
In the Endpoint field, enter the URL of your certificate authority (CA).
NOTE: For Security Center 5.12, the CA is the Certificate Signing role.The syntax of the URL is as follows:where hostname is the hostname or IP address of the server hosting the Certificate Signing role, and port is the port number configured in the Properties page of the Certificate Signing role. Make sure the server hosting the Unit Assistant role can access this URL.Code
https://hostname:port/management
IMPORTANT: To simplify the failover configuration, the URL is set by default tohttps://localhost:port/management
. This assumes that both the Unit Assistant role and the Certificate Signing role are always hosted on the same server. If you choose to host the two roles on separate servers, then when a failover occurs, you must manually change the value of the URL here and restart the Unit Assistant role. - Click Apply.
-
Restart the Unit Assistant role for the change to the Endpoint
URL to take effect.
- In the left pane, right-click Unit Assistant and then click Maintenance > Deactivate role.
- After the role turned red, right-click Unit Assistant and then click Maintenance > Activate role.
-
Click Certificate profile to configure the policies and the
limits imposed on certificate requests applied by the CA.
- Allowed domain name
- Must match your network domain name. Leave it blank if you do not want to include the domain name in the certificates.
- Allowed IPv4 range
- Enter the IPv4 range of the units you expect to connect to on your network. Leave it
blank if you do not want the units to use IPv4.
The IP range must follow the CIDR convention. All units must be found within this range of IP addresses. We do not support discrete ranges of IP addresses.
- Allowed IPv6 range
- Enter the IPv6 range of the units you expect to connect to on your network. Leave it
blank if you do not want the units to use IPv6.
The IP range must follow the CIDR convention. All units must be found within this range of IP addresses. We do not support discrete ranges of IP addresses.
- Validity period
- Specify, in days or months, the validity period of the renewed certificates according to your security policies. We recommend a period between six months and one year.
- Click Apply.
- Restart the Unit Assistant role for the changes to the Certificate profile page to take effect.
-
Select the certificate-related
health events that you want to monitor.
The certificate-related health events that you can monitor are:
- Certificate warning
- The certificate is about to expire.
- Certificate error
- There’s an error that makes communications with the unit insecure.
- Certificate valid
- The status of the certificate returned to valid after being in error or warning.
Best Practice: We strongly suggest that you create event-to-actions to inform your system administrator when certificate-related issues occur.
After you finish
Also note that the root certificate of the old CA isn’t automatically removed when it’s no longer in use. If required, after all unit certificates have been renewed, you can manually remove it from the Windows Certificate Store.