Install third-party or commercial CA certificates for communication with the Management Server or Recording Server

Management Servers and Recording Servers do not require trusted third-party or commercial CA certificates for encryption, but you can choose to use these certificates if it is part of your security policy, and they will be automatically trusted by client workstations and servers.

The process is identical to the Mobile Server certificate installation.

When you configure encryption for a server group, it must either be enabled with a certificate belonging to the same CA certificate or, if the encryption is disabled, then it must be disabled on all computers in the server group.

Certificates issued by CA (Certificate Authority) have a chain of certificates and on the root of that chain is the CA root certificate. When a device or browser sees this certificate, it compares its root certificate with pre-installed ones on the OS (Android, iOS, Windows, etc.). If the root certificate is listed in the pre-installed certificates list, then the OS ensures the user that the connection to the server is secure enough. These certificates are issued for a domain name and are not free of charge.

Add a CA certificate to the server

Add the CA certificate to the server by doing the following.

Specific parameters depend on the CA. Refer to the documentation of your CA before proceeding.

1. On the computer that hosts the XProtect server, open the Microsoft Management Console.

   

2. In the Microsoft Management Console, from the File menu select Add/Remove Snap-in….

   

3. Select the Certificates snap-in and click Add.

   Click OK.

   

4. Expand the Certificates object. Right-click on the Personal folder and select All Tasks > Advanced Operations > Create Custom Request.

   

5. Click Next in the Certificate Enrollment wizard and select Proceed without enrollment policy.

   Click Next.

   

6. Select the (No template) CNG Key template and the CMC request format, and click Next.

   

   The request format depends on the CA. If the wrong format is chosen, the CA will issue an error when the certificate signing request (CSR) is submitted. Check with the CA to make sure you choose properly.

7. Expand to view the Details of the custom request, and click Properties.

8. On the General tab, fill in the Friendly name and Description fields with the domain name registered with the CA.

   

9. On the Subject tab, enter the parameters as required by the specific CA.

   For example, the subject name Type and Value are different for each CA. One example is the following required information:

   • Common Name:

   • Organization:

   • Organizational Unit:

   • City/Locality:

   • State/Province:

   • Country/Region:

   

10. Some CAs don't require extensions. However, if required, go to the Extensions tab and expand the Key usage menu. Add the required options from the list of Available options to the Selected options list.

    

11. On the Private Key tab, expand the Key options menu.

    Set the key size to 2048 and select the option to make the private key exportable.

    The key size variable is determined by the CA, therefore a higher size key may be required. Other options, such as a specific Hash Algorithm (sha256), may also be required. Adjust all of the options required before proceeding to the next step.

    

12. Unless the CA requires a signature, the next step is to click OK.

13. When all of the certificate properties have been defined, click Next on the Certificate Enrollment wizard.

    

14. Select a location to save the certificate request and a format. Browse to that location and specify a name for the .req file. The default format is base 64, however some CAs require the binary format.

15. Click Finish.

    

A .req file is generated, which you must use to request a signed certificate.

Upload the .req file to receive a signed certificate in return

Every CA has a different process for uploading .req files in order to receive a signed certificate in return. Refer to the documentation of your CA for information on retrieving a signed certificate.

In most third-party CA situations, it is required to download a .ZIP file, and extract the contents to the computer that hosts the XProtect server.

There are several file types that could be included in the extracted .ZIP file contents.

.CER or .CRT files can be installed using a similar process. Right-click the file and choose Install Certificate from the shortcut menu.

The following steps use a .CER file from an internal CA.

Your CA will need the contents of the .req file. You will be asked to copy the entire text of the .req file, including the begin and end lines, and paste the text into a field made available at a portal managed by the CA.

1. Browse to the location of the .req file and open it in Notepad, and paste the text into a field made available at a portal managed by your CA.

   

2. When you receive the certificate from your CA, browse to the downloads folder (or wherever you choose to store the folder on the computer), right-click the certificate and select Install Certificate.

   

3. Accept the security warning if it appears.

   Select to install the certificate for the local machine and click Next.

   

4. Choose a storage location, and browse to the Personal certificate store, and click Next.

   

5. Finish the Install Certificate wizard.

Enable encryption to and from the Management Server