Unit certificate management is the feature that you need to deploy trusted certificates on your units from a central location. The Unit Assistant role is responsible for managing the certificates and requires the Certificate Signing role to be its certificate authority (CA).
With the Unit Assistant role, you can configure Security Center to install trusted identity certificates on your access control and video units, and automatically renew them when they are about to expire.
- Installs the certificate authority (CA)'s root
certificate on the servers hosting the Archiver and the Access Manager roles. This
ensures that these servers trust the certificates signed by this CA.NOTE: The Certificate Signing plugin role handles the job of the CA. The plugin package is installed by default when you install Security Center, but the plugin role is not created by default. You must create the plugin role if you want to enable unit certificate management in your system.
- Installs certificates signed by the trusted CA on selected access control and video
units to encrypt communications between Security Center and the units.NOTE: The role connects to the units. In this context, the role is the client and the units are the servers. For this reason, the certificates installed on the units are called server certificates.
After a certificate is successfully installed on a unit, the unit automatically switches from HTTP to HTTPS, and from RTSP to RTSPS if the unit supports it. From that point on, the system manages the unit certificate.
You can perform all certificate deployment operations through the Hardware inventory task and scheduled tasks. You need special privileges to perform these operations.
Supported certificate deployment operations
Operation | Required privileges |
---|---|
Manually install or renew certificates on selected access control and video
units with the Hardware inventory task. You can renew certificates unit by unit or in batches. |
Update access control unit certificate
Update video unit certificate |
Automatically renew certificates using the Renew unit certificates action through scheduled tasks. |
Update access control unit certificate
Update video unit certificate Modify certificate management settings |
Configure the system settings for certificate management in Config Tool. You can configure the settings such as when to send a notification when a certificate is about to expire and the certificate validity period. You can also change the certificate profile followed by the CA from Config Tool. |
Modify certificate management settings |
Configure the options in the Advanced security settings section of the Access Manager and Archiver roles' Extensions pages. | Modify role properties |
Supported access control units
- Cloud Link Roadrunner
- Synergis Cloud Link
- Legacy Synergis Cloud Link running Synergis Softwire 11.2 or later
Supported video units
Only certain models of video units support the certificate management feature. You might have to upgrade the unit firmware for this feature to work. For the list of manufacturers that support this feature, see Manufacturers that support certificate management.Best practices for unit certificate management
- Monitor unit certificate status and update results with the Hardware
inventory task.
You can save the report as a public task and monitor the results in the dashboard. For more information, see Creating a dashboard.
- Track manually updated certificates with the Activity trails
task.
Only manual certificate renewals are tracked as user activities. Certificates renewed automatically through scheduled tasks are not tracked in the Activity trails report.
- Changing a unit certificate causes a short recording interruption, so choose a time of day that minimizes disruption to your operations.
- Make sure you do not change the certificate and the password on the same units at the same time.
- When automatically renewing certificates, do not exceed 100 access control units or 1,000 video units per batch.
Limitations
- The Unit Assistant GUI might become unresponsive for several minutes if one of the components involved in certificate signing (Directory, Unit Assistant, Certificate Signing) fails over to their secondary server while the Unit Assistant is performing a large batch of certificate updates.
- When a certificate generated by Security Center expires, the access control or video unit continues to operate normally until the next time it reconnects. The unit might take up to 10 hours to display the expired certificate warning status.
- A supported Synergis™ unit cannot be updated if its current self-signed certificate is
generated from the Synergis™ Appliance Portal.If you ask the system to update the certificate for such a unit, you get the error message Failed to generate certificate signing request. As a workaround, temporarily enable advanced security settings to update the certificate, as follows:
- Go to the Access Manager role's Extensions page, and click the Synergis tab.
- In the Advanced security settings section, enable the
Allow unknown certificate authority and Allow
certificates with an invalid subject name options.
- Click Apply.
- When the unit comes back online, open the Hardware inventory task, and then update the unit's certificate.
- Go back to the Access Manager role's Extensions page, and disable the Allow unknown certificate authority and Allow certificates with an invalid subject name options.
- Click Apply.
Watch this video to learn more. Click the Captions icon (CC) to turn on video captions in one of the available languages.