AXIS Q35 Series Dome Camera
The device interface
Certificates are used to authenticate devices on a network. The device supports two types of certificates:
•
Client/server certificates
A client/server certificate validates the device’s identity, and can be self-signed or issued by a Certificate Authority (CA).
A self-signed certificate offers limited protection and can be used before a CA-issued certificate has been obtained.
•
CA certificates
You can use a CA certificate to authenticate a peer certificate, for example to validate the identity of an authentication
server when the device connects to a network protected by IEEE 802.1X. The device has several pre-installed CA
certificates.
These formats are supported:
• Certificate formats: .PEM, .CER, and .PFX
• Private key formats: PKCS#1 and PKCS#12
Important
If you reset the device to factory default, all certificates are deleted. Any pre-installed CA certificates are reinstalled.
Filter the certificates in the list.
Add certificate
: Click to add a certificate.
The context menu contains:
•
Certificate information
: View an installed certificate’s properties.
•
Delete certificate
: Delete the certificate.
•
Create certificate signing request
: Create a certificate signing request to send to a registration authority to apply
for a digital identity certificate.
IEEE 802.1x
IEEE 802.1x is an IEEE standard for port-based network admission control providing secure authentication of wired and wireless
network devices. IEEE 802.1x is based on EAP (Extensible Authentication Protocol).
To access a network protected by IEEE 802.1x, network devices must authenticate themselves. The authentication is performed by
an authentication server, typically a RADIUS server (for example FreeRADIUS and Microsoft Internet Authentication Server).
Certificates
When configured without a CA certificate, server certificate validation is disabled and the device tries to authenticate itself
regardless of what network it is connected to.
When using a certificate, in Axis' implementation, the device and the authentication server authenticate themselves with digital
certificates using EAP-TLS (Extensible Authentication Protocol - Transport Layer Security).
To allow the device to access a network protected through certificates, a signed client certificate must be installed on the device.
Client certificate
: Select a client certificate to use IEEE 802.1x. The authentication server uses the certificate to validate the
client’s identity.
CA certificate
: Select a CA certificate to validate the authentication server’s identity. When no certificate is selected, the device
tries to authenticate itself regardless of what network it is connected to.
EAP identity
: Enter the user identity associated with the client certificate.
EAPOL version
: Select the EAPOL version that is used in the network switch.
Use IEEE 802.1x
: Select to use the IEEE 802.1x protocol.
Prevent brute-force attacks
30