Certificates

Follow this method when you need to install a device certificate on a single Q-SYS peripheral and the CA does not have any specific requirements for the request.

Complete the CSR Form

General

• Country (C): From the menu, select the country in which this peripheral is located.
• Common Name (CN): This is prepopulated with the name of the peripheral as specified in Q-SYS Configurator. Unless you intend to change the name of the peripheral after the certificate is generated, leave this as-is. Note that if you change the Common Name from the default, you must also change it in the DNS Names field.
• Optionally specify the peripheral's State or Province (ST), Locality (L), Organization (O), and Organizational Unit (OU). (Some of these fields might be prepopulated based on the detected location.)
• Optionally specify a contact Email address.

IP Addresses

• Specify the IP address for each of the peripheral's LAN interfaces. This is prepopulated with the detected information and normally should not change.

  Note: These should be static IP addresses, as DHCP addresses are subject to change. If an address changes, the certificate will be invalid.

• Leave the DNS Names section as-is unless you have modified the Common Name (CN), in which case you must change it to the modified name.

RSA Key Size

Select a key size for the certificate: 2048, 3072, or 4096. Your CA can provide guidance for this based on organization security requirements.

Additional

• In the Challenge Password field, optionally create a challenge password for the request, which can prevent interception of the CSR by a 3rd-party. Some CAs may require this.
• Leave CA:TRUE unselected.

Generate the CSR

1. Click Generate CSR.
2. Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
3. Send the CSR file to the CA.

Sign the CSR and Generate the Certificate

The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.

Install the Certificate

1. Click the Device Certificate tab.
2. Click Install Certificate.
3. Paste the certificate text or click Upload Certificate to select a text file to upload.
4. Click Install.

Note: Only one certificate can be installed at a time.

Reboot

From Q-SYS Configurator, reboot the Q-SYS peripheral for the certificate to take effect.

After the peripheral reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the peripheral's IP address is reestablished using the new certificate.

CAUTION: The installed certificate is destroyed during a peripheral factory reset.

Follow this method when you need to install a device certificate on multiple Q-SYS peripherals and the CA does not have any specific requirements for the request.

Complete the CSR Form

General

• Country (C): From the menu, select the country in which this peripheral is located.
• Common Name (CN): This is prepopulated with the name of the peripheral as specified in Q-SYS Configurator. Unless you intend to change the name of the peripheral after the certificate is generated, leave this as-is. Note that if you change the Common Name from the default, you must also change it in the DNS Names field.
• Optionally specify the peripheral's State or Province (ST), Locality (L), Organization (O), and Organizational Unit (OU). (Some of these fields might be prepopulated based on the detected location.)
• Optionally specify a contact Email address.

IP Addresses

• Specify the IP address for each of the peripheral's LAN interfaces. This is prepopulated with the detected information and normally should not change.

  Note: These should be static IP addresses, as DHCP addresses are subject to change. If an address changes, the certificate will be invalid.

• Leave the DNS Names section as-is unless you have modified the Common Name (CN), in which case you must change it to the modified name.

RSA Key Size

Select a key size for the certificate: 2048, 3072, or 4096. Your CA can provide guidance for this based on organization security requirements.

Additional

• In the Challenge Password field, optionally create a challenge password for the request, which can prevent interception of the CSR by a 3rd-party. Some CAs may require this.
• Leave CA:TRUE unselected.

Generate the CSR for the First Peripheral

1. Click Generate CSR.
2. Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
3. Send the CSR file to the CA.

Upload the CSR as a Template for the Next Peripheral

On another Q-SYS peripheral:

1. From the Certificates > Generate CSR tab, click Upload CSR as Template.
2. Select and open the CSR text file you created previously.

Update Peripheral-specific Details

The CSR form fields pre-populate with the required information.

Verify that the Common Name (CN), IP Addresses, and DNS Names are all correct for this Q-SYS peripheral. If there are any changes required, modify those fields now.

Generate the CSR

1. Click Generate CSR.
2. Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
3. Send the CSR file to the CA.

Sign the CSR and Generate the Certificate

The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.

Install the Certificate

1. Click the Device Certificate tab.
2. Click Install Certificate.
3. Paste the certificate text or click Upload Certificate to select a text file to upload.
4. Click Install.

Note: Only one certificate can be installed at a time.

Reboot

From Q-SYS Configurator, reboot the Q-SYS peripheral for the certificate to take effect.

After the peripheral reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the peripheral's IP address is reestablished using the new certificate.

CAUTION: The installed certificate is destroyed during a peripheral factory reset.

Follow this method to request a CSR from the CA that includes additional information for the peripheral that may not be visible on the Generate CSR form.

Generate CSR Template

The CA generates a certificate that becomes a template for your request. The CA sends it to you.

Upload the CSR as a Template

1. From the Certificates > Generate CSR tab, click Upload CSR as Template.
2. Select and open the CSR text file from the CA.

Update Peripheral-specific Details

The CSR form fields pre-populate with the required information.

Note: The form will not show any additional, CA-required information that does not conform to the form structure. This information is hidden and will be included when you generate the CSR.

Verify that the Common Name (CN), IP Addresses, and DNS Names are all correct for this Q-SYS peripheral. If there are any changes required, modify those fields now.

Generate the CSR

1. Click Generate CSR.
2. Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
3. Send the CSR file to the CA.

Sign the CSR and Generate the Certificate

The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.

Install the Certificate

1. Click the Device Certificate tab.
2. Click Install Certificate.
3. Paste the certificate text or click Upload Certificate to select a text file to upload.
4. Click Install.

Note: Only one certificate can be installed at a time.

Reboot

From Q-SYS Configurator, reboot the Q-SYS peripheral for the certificate to take effect.

After the peripheral reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the peripheral's IP address is reestablished using the new certificate.

CAUTION: The installed certificate is destroyed during a peripheral factory reset.