Using trusted certificates on Synergis™ units (Advanced) - Security Center 5.11

Security Center Hardening Guide 5.11

Applies to
Security Center 5.11
Last updated
2022-10-12
Content type
Guides > Administrator guides
Language
English (United States)
Product
Security Center
Version
5.11

The authenticity of the self-signed certificate that comes with the unit by default is not enforced as usual with the Public Key Infrastructure. To be more secure, you can use a fully trusted certificate signed by a certificate authority instead.

Before you begin

Security Center can automatically deploy signed certificates on Synergis™ units from a central location and renew them when they are about to expire. We recommend using this feature for the benefits of a centralized management if your Synergis™ units correspond to one of the following:
  • Cloud Link Roadrunner™
  • Synergis™ Cloud Link
  • Legacy Synergis™ Cloud Link running Synergis™ Softwire 11.2 or later

For more information, see Unit certificate management. If your access control units do not support the Security Center unit certificate management feature, install signed certificates using the following procedure.

What you should know

  • Using certificates signed by a certificate authority is better for setups where multiple computers and browsers access the Synergis™ unit because you do not need to configure each browser to recognize these trusted certificates.
  • The Synergis™ Cloud Link unit comes with an ECDSA certificate by default. When you try to enroll a new Synergis™ Cloud Link unit on a system running an operating system that lacks support for ECDSA, the enrollment fails because no compatible cipher is available.

    If the enrollment fails, upgrade your operating system to one that supports ECDSA or generate a new RSA certificate on the unit and then try enrolling the unit again.

Procedure

  1. Log on to the Synergis™ unit.
  2. Click Configuration > Certificates.
  3. In the Certificate management section, complete the identification fields.
    The Common name field contains the unit's hostname by default. The Subject alternative name field also contains the hostname by default, but can be edited to a comma-separated DNS list.
    NOTE: The Common name, Subject alternative name, and Country fields are mandatory.
    Certificate management section of the Certificates page in the Synergis™ Appliance Portal.
  4. From the Certificate type list, select one of the following algorithms and key lengths:
    • ECDSA 256 bits
    • ECDSA 384 bits
    • RSA 2048 bits
    • RSA 3072 bits
    • RSA 4096 bits
  5. Click Create certificate signing request.
    A .req file is generated, containing the public portion of the certificate. The file does not contain the private key and is therefore not confidential.
  6. In Windows File Explorer, navigate to your Downloads folder, and then copy the signing request .req file and send it to a certificate authority.
    After verification, the certificate authority signs the public portion of the certificate with its own private key.
  7. After you receive the certificates from the certificate authority, import the signed certificate.
    1. Log back on to the unit and click Configuration > Certificates.
    2. In the Import signed certificate section, click Select certificate and browse to the folder with the certificates.
    3. Select the first certificate and click Upload. Repeat for the remaining certificates.
      NOTE: Each certificate in the certificate chain must be uploaded individually, or in one operation if you received a .p7b collection file. If you received the collection file, you can omit uploading the root certificate.

Results

Your unit no longer shows a security error in the address bar when connecting using hostname.

After you finish

If the unit was already enrolled in Security Center, the Access Manager will not trust the new certificate or connect to the unit, and you must reset the trusted certificate in Config Tool.

For more information, see Resetting the trusted certificate.