Securing the communication between the Unit Assistant role and the Certificate Signing role - Security Center 5.12

Security Center Administrator Guide 5.12

Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
Language
English
Last updated
2024-09-13

To secure the communication between the Unit Assistant role and the Certificate Signing role, you must create a trusted certificate for the localhost.

What you should know

The Unit Assistant role connects to the Certificate Signing role using a URL of the form https://hostname:port/management where hostname is the IP address or the host name of the server hosting the Certificate Signing role. To have a simple and robust failover configuration, the two roles must be hosted on the same server. This way, when a failover occurs, both roles fail over to the same server. This also allows us to use localhost instead of the host name in the connection URL. For this reason, the certificate used to secure the communication between the two must be identified as localhost.
NOTE: A consequence of this approach is that only the Config Tool running on the server hosting the Certificate Signing role can be used to fully configure the Unit Assistant role.

Procedure

  1. Generate the certificate used to secure the communication between these two roles.
    1. In the Windows taskbar, click and enter PowerShell.
    2. In the search result, right-click Windows PowerShell and click Run as administrator.
      The Windows PowerShell window opens.
    3. Enter the command $PSVersionTable to find out the version you are running.
      IMPORTANT: You must have PowerShell version 5.1.17763.2931 or later. If your version is too old, you must run PowerShell on a server that has a supported version installed, generate and export the certificate, and then import it on the server hosting your two roles.
    4. Enter the following command to generate a self-signed certificate.
      Code
      New-SelfSignedCertificate -Type Custom -Subject "CN=SigningPluginSSL, O=Genetec Inc., OU=SigningPluginSSL, C = CA" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1", "2.5.29.17={text}DNS=localhost") -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My"
      NOTE: To run this command, first copy the preceding string to Notepad, remove the line breaks, then paste the string without line breaks to the Windows PowerShell window.

      In our sample command, we use SigningPluginSSL as the certificate name. If you prefer a different name, simply replace SigningPluginSSL, found in two places, with the name of your choice.

    5. Close the Windows PowerShell window.
  2. Open the Microsoft Management Console.
    • On Windows Server, do the following:
      1. In the Windows taskbar, click and enter mmc.
      2. In the windows that opens, click File > Add/Remove Snap-in.
      3. In the Add or Remove Snap-ins window that opens, click Certificates > Add.
        Microsoft Management Console - Adding the Certificates snap-in.
      4. In the Certificates snap-in dialog box that opens, click Computer account > Next.
        Dialog box showing the selection of "Computer account" for the snap-in.
      5. Click Finish > OK.

        The Certificate management snap-in is added.

    • On Windows 10, do the following:
      1. In the Windows taskbar, click and enter Certificates.
      2. In the search results, click Manage computer certificates.
  3. In the left pane of the Microsoft Management Console window, expand Personal and click Certificates.
  4. In the right pane of the window, right-click the certificate you created (SigningPluginSSL) and click Copy.
    Microsoft Management Console showing the personal certificates SigningPluginSSL being copied.
  5. In the left pane of the window, expand Trusted Root Certification Authorities and click Certificates.
  6. Right-click Certificates and then click Paste.
    Microsoft Management Console showing a personal certificate being pasted to Trusted Root Certification Authorities.
  7. Open Server Admin, and in the left pane, click the name of your server.
  8. In the Secure communication section, click Select certificate.
  9. In the dialog box that opens, click the certificate you created earlier (SigningPluginSSL) and click Select.
    Server Admin window showing the sequence of steps to select the certificate.
  10. Click Save > Yes and close Server Admin
  11. If you have more than one server assigned to the Unit Assistant role, repeat the same process on the other servers.