Certificates
To meet organization security requirements, you can install a device certificate – signed by the organization's certificate authority (CA) – to each Q-SYS Core and peripheral. CA-signed device certificates allow for trusted connections between Cores, peripherals, and PCs accessing those devices on the network.
Note: Certificates must be PEM-encoded (ASCII, base64).
Prerequisites
- Before proceeding, obtain the contact information for your organization's CA. This is usually someone in the IT department responsible for network security requirements.
- Use Q-SYS Peripheral Manager to install device certificates on Q-SYS peripheral devices. Peripheral Manager is accessible from the Q-SYS Configurator > Device Security button for each peripheral.
Installing a Certificate
To begin, click the Generate CSR tab. Follow one of these procedures, depending on your and the CA's requirements:
Generate a CSR and install a device certificate on a single Core.
Follow this method when you need to install a device certificate on a single Q-SYS Core processor and the CA does not have any specific requirements for the request.
Complete the CSR Form
General
- Country (C): From the menu, select the country in which this Core is located.
- Common Name (CN): This is prepopulated with the name of the Core as specified in Core Manager > Network Settings. Unless you intend to change the name of the Core after the certificate is generated, leave this as-is. Note that if you change the Common Name from the default, you must also change it in the DNS Names field.
- Optionally specify the Core's State or Province (ST), Locality (L), Organization (O), and Organizational Unit (OU). (Some of these fields might be prepopulated based on the detected location.)
- Optionally specify a contact Email address.
IP Addresses
- Specify the IP address for each of the Core's LAN interfaces. This is prepopulated with the detected information and normally should not change.
Note: These should be static IP addresses, as DHCP addresses are subject to change. If an address changes, the certificate will be invalid.
- Leave the DNS Names section as-is unless you have modified the Common Name (CN), in which case you must change it to the modified name.
RSA Key Size
Select a key size for the certificate: 2048, 3072, or 4096. Your CA can provide guidance for this based on organization security requirements.
Additional
- In the Challenge Password field, optionally create a challenge password for the request, which can prevent interception of the CSR by a 3rd-party. Some CAs may require this.
- Leave CA:TRUE unselected.
Generate the CSR
- Click Generate CSR.
- Copy the CSR content to a .txt file named Core-Name-CSR.txt and save the text file to an accessible location.
- Send the CSR file to the CA.
Sign the CSR and Generate the Certificate
The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.
Install the Certificate
- Click the Device Certificate tab.
- Click Install Certificate.
- Paste the certificate text or click Upload Certificate to select a text file to upload.
- Click Install.
Note: Only one certificate can be installed at a time.
Reboot
From the Utilities page, reboot the Q-SYS Core processor for the certificate to take effect.
After the Core reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the Core's IP address is reestablished using the new certificate.
CAUTION: The installed certificate is destroyed during a Core factory reset.
Generate a CSR for one Core and then use it as a template to generate CSRs for additional Cores.
Follow this method when you need to install a device certificate on multiple Q-SYS Core processors and the CA does not have any specific requirements for the request.
Complete the CSR Form
General
- Country (C): From the menu, select the country in which this Core is located.
- Common Name (CN): This is prepopulated with the name of the Core as specified in Core Manager > Network Settings. Unless you intend to change the name of the Core after the certificate is generated, leave this as-is. Note that if you change the Common Name from the default, you must also change it in the DNS Names field.
- Optionally specify the Core's State or Province (ST), Locality (L), Organization (O), and Organizational Unit (OU). (Some of these fields might be prepopulated based on the detected location.)
- Optionally specify a contact Email address.
IP Addresses
- Specify the IP address for each of the Core's LAN interfaces. This is prepopulated with the detected information and normally should not change.
Note: These should be static IP addresses, as DHCP addresses are subject to change. If an address changes, the certificate will be invalid.
- Leave the DNS Names section as-is unless you have modified the Common Name (CN), in which case you must change it to the modified name.
RSA Key Size
Select a key size for the certificate: 2048, 3072, or 4096. Your CA can provide guidance for this based on organization security requirements.
Additional
- In the Challenge Password field, optionally create a challenge password for the request, which can prevent interception of the CSR by a 3rd-party. Some CAs may require this.
- Leave CA:TRUE unselected.
Generate the CSR for the First Core
- Click Generate CSR.
- Copy the CSR content to a .txt file named Core-Name-CSR.txt and save the text file to an accessible location.
- Send the CSR file to the CA.
Upload the CSR as a Template for the Next Core
On another Q-SYS Core processor:
- From the Certificates > Generate CSR tab, click Upload CSR as Template.
- Select and open the CSR text file you created previously.
Update Core-specific Details
The CSR form fields pre-populate with the required information.
Verify that the Common Name (CN), IP Addresses, and DNS Names are all correct for this Q-SYS Core processor. If there are any changes required, modify those fields now.
Generate the CSR
- Click Generate CSR.
- Copy the CSR content to a .txt file named Core-Name-CSR.txt and save the text file to an accessible location.
- Send the CSR file to the CA.
Sign the CSR and Generate the Certificate
The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.
Install the Certificate
- Click the Device Certificate tab.
- Click Install Certificate.
- Paste the certificate text or click Upload Certificate to select a text file to upload.
- Click Install.
Note: Only one certificate can be installed at a time.
Reboot
From the Utilities page, reboot the Q-SYS Core processor for the certificate to take effect.
After the Core reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the Core's IP address is reestablished using the new certificate.
CAUTION: The installed certificate is destroyed during a Core factory reset.
If required by the CA, upload a CSR template as a starting point for generating the CSR for one or more Cores.
Follow this method to request a CSR from the CA that includes additional information for the Core that may not be visible on the Generate CSR form.
Generate CSR Template
The CA generates a certificate that becomes a template for your request. The CA sends it to you.
Upload the CSR as a Template
- From the Certificates > Generate CSR tab, click Upload CSR as Template.
- Select and open the CSR text file from the CA.
Update Core-specific Details
The CSR form fields pre-populate with the required information.
Note: The form will not show any additional, CA-required information that does not conform to the form structure. This information is hidden and will be included when you generate the CSR.
Verify that the Common Name (CN), IP Addresses, and DNS Names are all correct for this Q-SYS Core processor. If there are any changes required, modify those fields now.
Generate the CSR
- Click Generate CSR.
- Copy the CSR content to a .txt file named Core-Name-CSR.txt and save the text file to an accessible location.
- Send the CSR file to the CA.
Sign the CSR and Generate the Certificate
The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.
Install the Certificate
- Click the Device Certificate tab.
- Click Install Certificate.
- Paste the certificate text or click Upload Certificate to select a text file to upload.
- Click Install.
Note: Only one certificate can be installed at a time.
Reboot
From the Utilities page, reboot the Q-SYS Core processor for the certificate to take effect.
After the Core reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the Core's IP address is reestablished using the new certificate.
CAUTION: The installed certificate is destroyed during a Core factory reset.
Removing a Certificate
Only one certificate can be installed at a time. If you need to remove the current certificate and install a new one:
- Click the Device Certificate tab.
- Click Remove Certificate.
- Click Remove and Reboot to confirm.