Certificates
To meet organization security requirements, you can install a device certificate – signed by the organization's certificate authority (CA) – to each Q-SYS Core and peripheral. CA-signed device certificates allow for trusted connections between Cores, peripherals, and PCs accessing those devices on the network.
Note: Certificates must be PEM-encoded (ASCII, base64).
Prerequisites
- Before proceeding, obtain the contact information for your organization's CA. This is usually someone in the IT department responsible for network security requirements.
- Before installing a certificate on an NV-32-H, ensure that the peripheral has already been added to a Q-SYS design deployed to the Core.
- Use Q-SYS Core Manager to install device certificates on Q-SYS Core processors.
Installing a Certificate
To begin, click the Generate CSR tab. Follow one of these procedures, depending on your and the CA's requirements:
Generate a CSR and install a device certificate on a single Q-SYS peripheral.
Follow this method when you need to install a device certificate on a single Q-SYS peripheral and the CA does not have any specific requirements for the request.
Complete the CSR Form
General
- Country (C): From the menu, select the country in which this peripheral is located.
- Common Name (CN): This is prepopulated with the name of the peripheral as specified in Q-SYS Configurator. Unless you intend to change the name of the peripheral after the certificate is generated, leave this as-is. Note that if you change the Common Name from the default, you must also change it in the DNS Names field.
- Optionally specify the peripheral's State or Province (ST), Locality (L), Organization (O), and Organizational Unit (OU). (Some of these fields might be prepopulated based on the detected location.)
- Optionally specify a contact Email address.
IP Addresses
- Specify the IP address for each of the peripheral's LAN interfaces. This is prepopulated with the detected information and normally should not change.
Note: These should be static IP addresses, as DHCP addresses are subject to change. If an address changes, the certificate will be invalid.
- Leave the DNS Names section as-is unless you have modified the Common Name (CN), in which case you must change it to the modified name.
RSA Key Size
Select a key size for the certificate: 2048, 3072, or 4096. Your CA can provide guidance for this based on organization security requirements.
Note: Q-SYS QIO Series peripherals support RSA-2048 key size and SHA-1 or SHA-256 hash only.
Additional
- In the Challenge Password field, optionally create a challenge password for the request, which can prevent interception of the CSR by a 3rd-party. Some CAs may require this.
- Leave CA:TRUE unselected.
Generate the CSR
- Click Generate CSR.
- Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
- Send the CSR file to the CA.
Sign the CSR and Generate the Certificate
The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.
Install the Certificate
- Click the Device Certificate tab.
- Click Install Certificate.
- Paste the certificate text or click Upload Certificate to select a text file to upload.
- Click Install.
Note: Only one certificate can be installed at a time.
Reboot
From Q-SYS Configurator, reboot the Q-SYS peripheral for the certificate to take effect.
After the peripheral reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the peripheral's IP address is reestablished using the new certificate.
CAUTION: The installed certificate is destroyed during a peripheral factory reset.
Generate a CSR for one Q-SYS peripheral and then use it as a template to generate CSRs for additional peripherals.
Follow this method when you need to install a device certificate on multiple Q-SYS peripherals and the CA does not have any specific requirements for the request.
Complete the CSR Form
General
- Country (C): From the menu, select the country in which this peripheral is located.
- Common Name (CN): This is prepopulated with the name of the peripheral as specified in Q-SYS Configurator. Unless you intend to change the name of the peripheral after the certificate is generated, leave this as-is. Note that if you change the Common Name from the default, you must also change it in the DNS Names field.
- Optionally specify the peripheral's State or Province (ST), Locality (L), Organization (O), and Organizational Unit (OU). (Some of these fields might be prepopulated based on the detected location.)
- Optionally specify a contact Email address.
IP Addresses
- Specify the IP address for each of the peripheral's LAN interfaces. This is prepopulated with the detected information and normally should not change.
Note: These should be static IP addresses, as DHCP addresses are subject to change. If an address changes, the certificate will be invalid.
- Leave the DNS Names section as-is unless you have modified the Common Name (CN), in which case you must change it to the modified name.
RSA Key Size
Select a key size for the certificate: 2048, 3072, or 4096. Your CA can provide guidance for this based on organization security requirements.
Note: Q-SYS QIO Series peripherals support RSA-2048 key size and SHA-1 or SHA-256 hash only.
Additional
- In the Challenge Password field, optionally create a challenge password for the request, which can prevent interception of the CSR by a 3rd-party. Some CAs may require this.
- Leave CA:TRUE unselected.
Generate the CSR for the First Peripheral
- Click Generate CSR.
- Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
- Send the CSR file to the CA.
Upload the CSR as a Template for the Next Peripheral
On another Q-SYS peripheral:
- From the Certificates > Generate CSR tab, click Upload CSR as Template.
- Select and open the CSR text file you created previously.
Update Peripheral-specific Details
The CSR form fields pre-populate with the required information.
Verify that the Common Name (CN), IP Addresses, and DNS Names are all correct for this Q-SYS peripheral. If there are any changes required, modify those fields now.
Generate the CSR
- Click Generate CSR.
- Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
- Send the CSR file to the CA.
Sign the CSR and Generate the Certificate
The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.
Install the Certificate
- Click the Device Certificate tab.
- Click Install Certificate.
- Paste the certificate text or click Upload Certificate to select a text file to upload.
- Click Install.
Note: Only one certificate can be installed at a time.
Reboot
From Q-SYS Configurator, reboot the Q-SYS peripheral for the certificate to take effect.
After the peripheral reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the peripheral's IP address is reestablished using the new certificate.
CAUTION: The installed certificate is destroyed during a peripheral factory reset.
If required by the CA, upload a CSR template as a starting point for generating the CSR for one or more Q-SYS peripherals.
Follow this method to request a CSR from the CA that includes additional information for the peripheral that may not be visible on the Generate CSR form.
Generate CSR Template
The CA generates a certificate that becomes a template for your request. The CA sends it to you.
Upload the CSR as a Template
- From the Certificates > Generate CSR tab, click Upload CSR as Template.
- Select and open the CSR text file from the CA.
Update Peripheral-specific Details
The CSR form fields pre-populate with the required information.
Note: The form will not show any additional, CA-required information that does not conform to the form structure. This information is hidden and will be included when you generate the CSR.
Verify that the Common Name (CN), IP Addresses, and DNS Names are all correct for this Q-SYS peripheral. If there are any changes required, modify those fields now.
Generate the CSR
- Click Generate CSR.
- Copy the CSR content to a .txt file named Peripheral-Name-CSR.txt and save the text file to an accessible location.
- Send the CSR file to the CA.
Sign the CSR and Generate the Certificate
The CA generates a signed certificate in a similar format and sends it back to you. This could be in the body of an email or a simple .txt file.
Install the Certificate
- Click the Device Certificate tab.
- Click Install Certificate.
- Paste the certificate text or click Upload Certificate to select a text file to upload.
- Click Install.
Note: Only one certificate can be installed at a time.
Reboot
From Q-SYS Configurator, reboot the Q-SYS peripheral for the certificate to take effect.
After the peripheral reboots, the signed certificate will be active. You may need to clear your browser cache so that the HTTPS connection to the peripheral's IP address is reestablished using the new certificate.
CAUTION: The installed certificate is destroyed during a peripheral factory reset.
Removing a Certificate
Only one certificate can be installed at a time. If you need to remove the current certificate and install a new one:
- Click the Device Certificate tab.
- Click Remove Certificate.
- Click Remove and Reboot to confirm.