Managing Certificates
Trusted certificates are used by the device to authenticate other servers and clients to which it needs to
connect, and to secure those connections. Avigilon provides a self-signed Web Certificate to secure the
connection to the ACC ES Admin Web UI and to the WebEndpoint service, and a set of system-level signed
certificates from well-known trusted CAs to ensure secure connections to any needed servers. Optionally,
you can provide your own certificates and CAs.
The level of security provided by the certificates included with the device should be sufficient for any
organization that does not deploy a Public Key Infrastructure (PKI) on its internal servers.
The certificate management feature on the appliance controls only the appliance web certificate used by
the ACC ES Admin Web UI and the ACC WebEndpoint product. Within the ACC server the certificate
authorities configured by this feature are only used to validate secure email servers used by ACC Email and
Central Station Monitoring features. ACC Server to ACC Server and ACC Server to ACC Client connections
are not controlled or validated using the appliance certificate management feature.
For example, if your organization uses a public email server such as Google Mail, when email notifications
are triggered, ACC accesses the Google Mail server and receives a certificate identifying the Google Mail
server. The ACC software verifies the certificate by confirming the CA that signed the Google Mail
certificate is from the list of well-known trusted CAs, and the connection is secured.
Note:
The signed certificates shipped with the device are the same as those shipped with Mozilla's
browser, and are publicly available from
. The certificates allow SSL-based
applications to check for the authenticity of SSL connections. Avigilon can neither confirm nor deny
whether the certificate authorities whose certificates are included with this appliance have in any
way been audited for trustworthiness or RFC 3647 compliance. Full responsibility to assess them
belongs to the local system administrator.
Organizations that deploy their own PKI can use the Certificates pane of the ACC ES Admin Web UI to
manage certificates on the device.
For example, you can:
l
Replace the default self-signed Web Certificate with your own organization's certificate.
l
Add CAs, such as internal CAs used within your organization, to the device.
l
Disable (and enable) any of the system-level CA certificates.
Replacing the Web Certificate
Manage the device's Web Certificate from the Web Certificate tab on the Certificates pane. The
ACC ES Admin Web UI and the WebEndpoint service use this certificate to authenticate themselves to
devices that connect to them. Only one Web Certificate can be active at any time.
You can replace the default Web Certificate with a custom certificate.
Managing Certificates
23