Overview of the scenarios and procedures used with certificates

The procedures for configuring secure communication in an XProtect VMS environment are different, depending on which type of servers require secure communication.

The procedures are also different in a WORKGROUP network compared to a DOMAIN network.

The types of XProtect VMS client applications that are used in the system also determine some of the required procedures for secure communications.

Using certificates for the server communication can usually be ignored on a single server installation, except for serving as an extra safeguard when communicating with the management server.

This list shows the different scenarios:

  • XProtect Mobile Server

    In XProtect VMS, encryption is enabled or disabled per Mobile Server. You enable or disable encryption either during installation of the XProtect VMS product or by using the Server Configurator. When you enable encryption on a Mobile Server, you then use encrypted communication with all clients, services, and integrations that retrieve data streams.

    The Mobile Server connects to the XProtect Mobile client and XProtect Web Client. Browsers, operating systems, and mobile devices that host these clients maintain a list of trusted CA root certificates. Only the authority knows its private key, but everyone knows its public key, which is similar to any particular certificate.

    These clients, then, already have certificate keys installed and work with most any third-party certificate that is available to install on the Mobile Server itself.

    Since each third-party CA has their own requirements for requesting a certificate, it is best to investigate the individual requirements directly with the CA.

    This document describes how to create a certificate request on the Mobile Server and install the certificate once it has been issued from the CA.

    See:

    Install certificates for communication with the mobile server

  • Milestone XProtect Management Server and Recording Server

    You can encrypt the two-way connection between the Management Server and the Recording Server. When you enable encryption on the Management Server, it applies to connections from all the Recording Servers that connect to the Management Server. If you enable encryption on the Management Server, you must also enable encryption on all of the Recording Servers. Before you enable encryption, you must install security certificates on the Management Server and all Recording Servers, including Failover Recording Servers.

  • XProtect Event Server

    You can encrypt the two-way connection between the Event Server and the components that communicate with the Event Server, including the LPR Server. When you enable encryption on the Event Server, it applies to connections from all the components that connect to the Event Server. Before you enable encryption, you must install security certificates on the Event Server and all connecting components.

    See:

    Install certificates for communication with the Event Server

  • Client

    In the Third-party/commercial and Domain scenarios, clients do not need certificate keys installed. You only need to install client certificate keys in a Workgroup environment.

    When you enable encryption on a Recording Server, communication to all clients, servers, and integrations that retrieve data streams from the Recording Server are encrypted.

    In this document these are referred to as 'clients' to the Recording Server:

    • XProtect Smart Client
    • Management Client
    • Management Server (for System Monitor and for images and AVI video clips in email notifications)
    • XProtect Mobile Server
    • XProtect Event Server
    • XProtect LPR
    • Milestone Open Network Bridge
    • XProtect DLNA Server
    • Sites that retrieve data streams from the recording server through Milestone Interconnect
    • Some third-party MIP SDK integrations
  • For solutions built with MIP SDK 2018 R3 or earlier that accesses recording servers: If the integrations are made using MIP SDK libraries, they need to be rebuilt with MIP SDK 2019 R1; if the integrations communicate directly with the Recording Server APIs without using MIP SDK libraries, the integrators must add HTTPS support themselves.
  • See:

    Which clients need certificates?

    Import client certificates