Certificates

To meet organization security requirements, you can install a device certificate – signed by the organization's certificate authority (CA) – to each Q-SYS Core and peripheral. CA-signed device certificates allow for trusted connections between Cores, peripherals, and PCs accessing those devices on the network.

Note: Certificates must be PEM-encoded (ASCII, base64).

Prerequisites

Install Certificate

When you click on the "Install Certificate" button, you are presented with two options to install a certificate:

  1. Copy the Certificate Code: This option allows you to paste the certificate text directly into the field provided.
  2. Upload Trusted Certificate: This option allows you to upload the device's own certificate or trusted certificate.

Removing a Certificate

Only one certificate can be installed at a time. If you need to remove the current certificate and install a new one:

  1. Click the Device Certificate tab.
  2. Click Remove Certificate.
  3. Click Remove and Reboot to confirm.

Installed Certificate

Any installed certificate provides the following information:

  • Issued To: This field specifies the Q-SYS device to which the certificate is being issued. It includes details like the device's Common Name (CN).
  • Issued By: This field indicates the common name (CN) of the device from which the certificate was originally issued.
  • Fingerprints: These provide a unique identifier for the certificate in the form of a hash value, ensuring that the certificate is unchanged and authentic.
  • Additional Info: This indicates the Certificate Authority (CA) that has issued the certificate. The CA is responsible for verifying the identity of the entity for which the certificate was issued.
  • Validity Period: The time frame during which the certificate is valid and trusted. It includes a start and an expiration date.
  • X509v3 Extensions: These are additional fields within the certificate that provide extra information, such as key identifiers or usage constraints.
  • Public Keys (PEM): The public key is a part of the encryption process and is used to encrypt data. It is paired with a private key (not shown on the certificate) that decrypts the data.
  • Device Certificate (PEM): This refers to the actual document certifying the authenticity of the device within the network, containing the above details and adhering to the X.509 standard used for managing Public Key

To begin, click the Generate CSR tab. Follow one of these procedures, depending on your and the CA's requirements:

Generate a CSR and install a device certificate on a single Q-SYS peripheral.

Follow this method when you need to install a device certificate on a single Q-SYS peripheral and the CA does not have any specific requirements for the request.

Complete the CSR Form

General

  • Country (C): From the menu, select the country in which this peripheral is located.
  • Common Name (CN): This is prepopulated with the name of the peripheral as specified in Q-SYS Configurator. Unless you intend to change the name of the peripheral after the certificate is generated, leave this as-is. Note that if you change the Common Name from the default, you must also change it in the DNS Names field.
  • Optionally specify the peripheral's State or Province (ST), Locality (L), Organization (O), and Organizational Unit (OU). (Some of these fields might be prepopulated based on the detected location.)
  • Optionally specify a contact Email address.

IP Addresses

  • Specify the IP address for each of the peripheral's LAN interfaces. This is prepopulated with the detected information and normally should not change.

    Note: These should be static IP addresses, as DHCP addresses are subject to change. If an address changes, the certificate will be invalid.

  • Leave the DNS Names section as-is unless you have modified the Common Name (CN), in which case you must change it to the modified name.

RSA Key Size

Select a key size for the certificate: 2048, 3072, or 4096. Your CA can provide guidance for this based on organization security requirements.

Note: Q-SYS QIO Series peripherals support RSA-2048 key size and SHA-1 or SHA-256 hash only.

Additional

  • In the Challenge Password field, optionally create a challenge password for the request, which can prevent interception of the CSR by a 3rd-party. Some CAs may require this.
  • Leave CA:TRUE unselected.

Generate the CSR

  1. Click Generate CSR.
  2. Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
  3. Send the CSR file to the CA.

Sign the CSR and Generate the Certificate

The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.

Install the Certificate

  1. Click the Device Certificate tab.
  2. Click Install Certificate.
  3. Paste the certificate text or click Upload Certificate to select a text file to upload.
  4. Click Install.

Note: Only one certificate can be installed at a time.

Reboot

From Q-SYS Configurator, reboot the Q-SYS peripheral for the certificate to take effect.

After the peripheral reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the peripheral's IP address is reestablished using the new certificate.

CAUTION: The installed certificate is destroyed during a peripheral factory reset.

Generate a CSR for one Q-SYS peripheral and then use it as a template to generate CSRs for additional peripherals.

Follow this method when you need to install a device certificate on multiple Q-SYS peripherals and the CA does not have any specific requirements for the request.

Complete the CSR Form

General

  • Country (C): From the menu, select the country in which this peripheral is located.
  • Common Name (CN): This is prepopulated with the name of the peripheral as specified in Q-SYS Configurator. Unless you intend to change the name of the peripheral after the certificate is generated, leave this as-is. Note that if you change the Common Name from the default, you must also change it in the DNS Names field.
  • Optionally specify the peripheral's State or Province (ST), Locality (L), Organization (O), and Organizational Unit (OU). (Some of these fields might be prepopulated based on the detected location.)
  • Optionally specify a contact Email address.

IP Addresses

  • Specify the IP address for each of the peripheral's LAN interfaces. This is prepopulated with the detected information and normally should not change.

    Note: These should be static IP addresses, as DHCP addresses are subject to change. If an address changes, the certificate will be invalid.

  • Leave the DNS Names section as-is unless you have modified the Common Name (CN), in which case you must change it to the modified name.

RSA Key Size

Select a key size for the certificate: 2048, 3072, or 4096. Your CA can provide guidance for this based on organization security requirements.

Note: Q-SYS QIO Series peripherals support RSA-2048 key size and SHA-1 or SHA-256 hash only.

Additional

  • In the Challenge Password field, optionally create a challenge password for the request, which can prevent interception of the CSR by a 3rd-party. Some CAs may require this.
  • Leave CA:TRUE unselected.

Generate the CSR for the First Peripheral

  1. Click Generate CSR.
  2. Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
  3. Send the CSR file to the CA.

Upload the CSR as a Template for the Next Peripheral

On another Q-SYS peripheral:

  1. From the Certificates > Generate CSR tab, click Upload CSR as Template.
  2. Select and open the CSR text file you created previously.

Update Peripheral-specific Details

The CSR form fields pre-populate with the required information.

Verify that the Common Name (CN), IP Addresses, and DNS Names are all correct for this Q-SYS peripheral. If there are any changes required, modify those fields now.

Generate the CSR

  1. Click Generate CSR.
  2. Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
  3. Send the CSR file to the CA.

Sign the CSR and Generate the Certificate

The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.

Install the Certificate

  1. Click the Device Certificate tab.
  2. Click Install Certificate.
  3. Paste the certificate text or click Upload Certificate to select a text file to upload.
  4. Click Install.

Note: Only one certificate can be installed at a time.

Reboot

From Q-SYS Configurator, reboot the Q-SYS peripheral for the certificate to take effect.

After the peripheral reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the peripheral's IP address is reestablished using the new certificate.

CAUTION: The installed certificate is destroyed during a peripheral factory reset.

If required by the CA, upload a CSR template as a starting point for generating the CSR for one or more Q-SYS peripherals.

Follow this method to request a CSR from the CA that includes additional information for the peripheral that may not be visible on the Generate CSR form.

Generate CSR Template

The CA generates a certificate that becomes a template for your request. The CA sends it to you.

Upload the CSR as a Template

  1. From the Certificates > Generate CSR tab, click Upload CSR as Template.
  2. Select and open the CSR text file from the CA.

Update Peripheral-specific Details

The CSR form fields pre-populate with the required information.

Note: The form will not show any additional, CA-required information that does not conform to the form structure. This information is hidden and will be included when you generate the CSR.

Verify that the Common Name (CN), IP Addresses, and DNS Names are all correct for this Q-SYS peripheral. If there are any changes required, modify those fields now.

Generate the CSR

  1. Click Generate CSR.
  2. Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
  3. Send the CSR file to the CA.

Sign the CSR and Generate the Certificate

The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.

Install the Certificate

  1. Click the Device Certificate tab.
  2. Click Install Certificate.
  3. Paste the certificate text or click Upload Certificate to select a text file to upload.
  4. Click Install.

Note: Only one certificate can be installed at a time.

Reboot

From Q-SYS Configurator, reboot the Q-SYS peripheral for the certificate to take effect.

After the peripheral reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the peripheral's IP address is reestablished using the new certificate.

CAUTION: The installed certificate is destroyed during a peripheral factory reset.