Preventing compromised certificates from being used in your system - Security Center 5.8

Security Center Administrator Guide 5.8

series
Security Center 5.8
revised_modified
2020-08-17

If you suspect that an encryption certificate has been compromised, you can prevent the certificate from ever being used again in your system by removing it from the Archiver and deleting all key streams that were generated with that certificate.

What you should know

The encryption certificate (containing the private key) is what allows a client machine to query the Archiver for encrypted data, and to decrypt the key stream and the data when it is received from the Archiver. For more information, see How does fusion stream encryption work?
CAUTION:
From the Archiver, if you remove the last certificate used to encrypt a camera, the camera ceases to be encrypted and all future data from that camera becomes accessible to all machines in your system. However, data that was previously encrypted remains encrypted.

Procedure

  1. From the Config Tool home page, open the Video task.
  2. Do one of the following:
    • If encryption is configured at the Archiver level, select the Archiver and click the Camera default settings tab.
    • If encryption is configured at the camera level, select the camera and click the Recording tab.
  3. From the Certificates list, select the compromised certificate, and click Remove the item ().
    NOTE: You cannot leave Encryption on if there are no certificates configured.
  4. Click Apply.
  5. In the message box that appears, do one of the following:
    • Click Yes to delete the selected certificate with the associated key streams (client-specific key streams).
      Best Practice: This is the recommended choice if you know your certificate has been compromised.
      CAUTION:
      If this certificate is the only certificate from which you can access your encrypted data, deleting it means you can never recover your data.
    • Click No to delete only the selected certificate from the Archiver, without deleting the associated key streams.

      This option stops the Archiver from generating new key streams from the selected certificate. This prevents the affected client machines from accessing the new data from the encrypted camera. This does not prevent the data that was archived prior to this operation from being accessed from machines on which the selected certificate is installed.

  6. Click Apply.