Certificates guide for Milestone XProtect products

This guide gives you an introduction to encryption and certificates, together with step by step procedures on how to install certificates in a Windows Workgroup environment.

Milestone recommends that you establish a Public Key Infrastructure (PKI) for creating and distributing certificates. A PKI is a set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. In a Windows domain, it's recommended to establish a PKI using the Active Directory Certificate Services (AD CS).
If you are unable to build a PKI, either due to having different domains without trust between them or due to not using domains at all, it's possible to manually create and distribute certificates.
WARNING: Creating and distributing certificates manually isn't recommended as a secure way of distributing certificates. If you choose manual distribution, you are responsible for always keeping the private certificates secure. When you keep the private certificates secure, the client computers that trust the certificates are less vulnerable to attacks.

When do you need to install certificates?

First, decide whether your system actually needs encrypted communication.

Don't use certificates with recording server encryption if you are using one or more integrations that don't support HTTPS communication. This is, for example, third-part MIP SDK integrations that don't support HTTPS.

Unless your installation is made in a physically isolated network, it's recommended that you secure the communication by using certificates.

This document describes when to use certificates:

  • If your XProtect VMS system is set up in a Windows Workgroup environment
  • Before you install or upgrade to XProtect VMS 2019 R1 or newer, if you want to enable encryption during the installation
  • Before you enable encryption, if you installed XProtect VMS 2019 R1 or newer without encryption
  • When you renew or replace certificates due to expiry