Install certificates in a domain for communication with the Management Server or Recording Server

When client and server endpoints are all operating within a domain environment there is no requirement to distribute CA certificates to client workstations. Group Policy within the domain handles the automatic distribution of all trusted CA certificates to all users and computers in the domain.

This is because, when you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain.

You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA.

Microsoft provides extensive documentation for Windows Server operating systems, which includes templates for server certificates, installation of the CA, and certificate deployment can be found in Microsoft's Server Certificate Deployment Overview.

Add a CA certificate to the server

Add the CA certificate to the server by doing the following.

  1. On the computer that hosts the XProtect server, open the Microsoft Management Console.

  2. In the Microsoft Management Console, from the File menu select Add/Remove Snap-in….

  3. Select the Certificates snap-in and click Add.

  4. In Certificates snap-in, select Computer account.

  5. In Select Computer, select Local computer.

    Select Finish, then OK.

  6. Expand the Certificates object. Right-click on the Personal folder and select All Tasks > Advanced Operations > Create Custom Request.

  7. Click Next in the Certificate Enrollment wizard and select Proceed without enrollment policy.

    If your Group Policy already contains a Certificate Enrollment Policy, you will want to confirm the rest of this process with your Domain Administration team before proceeding.

    Click Next.

    Click Next to proceed without enrollment policy

  8. Select the (No template) CNG Key template and the CMC request format, and click Next.

    Keep the default CNG key template and choose the CMC request format. Then click next.

  9. Expand to view the Details of the custom request, and click Properties.

    Click next once all of the properties are defined.

  10. On the General tab, fill in the Friendly name and Description fields with the domain name, computer name, or organization.

    The general tab of the certificate request properties menu.

  11. On the Subject tab, enter the required parameters for the subject name.

    In the subject name Type, enter in Common Name the host name of the computer where the certificate will be installed.

    Properties - Subject - Common Name

  12. On the Extensions tab and expand the Extended Key Usage (application policies) menu. Add Server Authentication from the list of available options.

    Properties - Extentions - Extended Key Usage - Server Authentication

  13. On the Private Key tab, expand the Key options menu.

    Set the key size to 2048 and select the option to make the private key exportable.

    Click OK.

    Certificate Properties window showing the Private Key tab and the selected properties.

  14. When all of the certificate properties have been defined, click Next on the Certificate Enrollment wizard.

  15. Select a location to save the certificate request and a format. Browse to that location and specify a name for the .req file. The default format is base 64.

  16. Click Finish.

    Final step of certificate request wizard. Define the location and file format.

  17. A .req file is generated, which you must use to request a signed certificate.

Upload the .req file to receive a signed certificate in return

You must copy the entire text of the .req file, including the begin and end lines, and paste the text to the internal Active Directory Certificate Services certificate authority in the network. See Install Active Directory Certificate Services.

Unless your domain has only recently installed Active Directory Certificate Services, or it has been installed just for this purpose, you will need to submit this request following a separate procedure configured by your Domain Administration team. Please confirm this process with them before proceeding.

  1. Browse to the location of the .req file and open it in Notepad.

    Copy the entire file contents.

  2. Copy the entire contents of the file. This includes the dashed lines marking the beginning and the end of the Certificate Request.

  3. Open a web browser and enter the address of the Domain CA.

    Internal CA site to upload our copied text from the .REQ file.

  4. Click the Request a certificate link.

  5. Click the advanced certificate request link.

    Advanced Certificate Request.

  6. Paste the contents of the .req file into the form. If it is required to select a Certificate Template, select Web Server from the Certificate Template list.

    Paste the entire .req file contents into the form.

  7. Click Submit.

    The site shows a message that the certificate will be issued in a few days.

Your Domain Administration team will likely distribute and install the certificate for you. However, if the certificate is delivered to you, you can install it manually.

Install the certificate manually

If the certificate is delivered to you, you can install it manually.

  1. Locate the certificate file on the computer that hosts the Management Server or Recording Server .

  2. Right-click the certificate and select Install Certificate.

  3. Accept the security warning if it appears.

    Select to install the certificate for the current user and click Next.

  4. Choose a storage location, and browse to the Personal certificate store, and click Next.

    Choose a custom store - browse - choose the Personal folder.

  5. Finish the Install Certificate wizard.

  6. Go to the Microsoft Management Console (MMC) certificates snap-in.

  7. In the console, browse to the personal store where the certificate is installed. Right-click on the certificate and select All Tasks > Manage Private Keys.

    All Tasks > Manage Private Keys...

  8. Verify that the account that is running the Milestone XProtect Management Server, Recording Server, or Mobile Server software is in the list of users with permission to use the certificate.

    Make sure that the user has both Full Control and Read permissions enabled.

    By default, XProtect software uses the NETWORK SERVICE account. In a domain environment, service accounts are commonly used to install and run XProtect services. You will need to discuss this with your Domain Administration team, and have the proper permissions added to the service accounts if it hasn't been configured properly already. Confirm this before proceeding.

Enable server encryption for Management Servers and Recording Servers

Once the certificate is installed with the correct properties and permissions, do the following.

  1. On a computer with a Management Server or Recording Server installed, open the Server Configurator from:

    • The Windows Start menu

    or

    • The server manager, by right-clicking the server manager icon on the computer task bar
  2. In the Server Configurator, under Server certificate, turn on Еncryption.

  3. Click Select certificate to open a list with unique subject names of certificates that have a private key and that are installed on the local computer in the Windows Certificate Store.

  4. Select a certificate to encrypt communication between the recording server, management server, failover server, and data collector server.
  5. Select Details to view Windows Certificate Store information about the selected certificate.

    The Recording Server service user has been given access to the private key. It is required that this certificate is trusted on all clients.

    The encryption tab in the Server Configurator with enabled encyption and installed certificates.

  6. Click Apply.

When you apply certificates, the recording server will be stopped and restarted. Stopping the Recording Server service means that you cannot record and view live video while you are verifying or changing the recording server's basic configuration.