This guide will show how to force read-only access of your SafeConsole devices to only your trusted computers using certificates. This feature requires 4.8.25 device client software or greater. A video walkthrough is available with text instructions below. 

Install OpenSSL on a workstation. We recommend this package for windows. After installation, copy the openssl.exe file from the GnuWin32\bin folder and the openssl.cnf from GnuWin32\share into a working folder such as your desktop. Then open a command prompt. 


1. Obtain a CA certificate

 If you do not have one, one can be generated by first creating a private key.  

openssl genrsa -out ca.key 2048


Then we create a new certificate using the key we just generated with the following command. Provide your relevant information when asked. The Common Name will be what is shown in SafeConsole.  

openssl req -new -x509 -sha256 -config openssl.cnf -days 3650 -key ca.key -out ca.crt


2. Generate client certificates using your CA certificate.

Enter these commands one line at a time to generate a new client certificate using your CA certificate. Provide all relevant information such as company name etc when asked. It is adviseable to use a descriptive subject, such as: The last two lines will sign the client certificate and convert to a PKCS#12 format. You will be prompted for a password. This password will be to install the certificate on the client computer and will not need to be entered each time it is used. 

openssl genrsa -out client.key 2048
openssl req -new -sha256 -config openssl.cnf -key client.key -out client.csr
openssl x509 -req -sha256 -days 1826 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -chain -CAfile ca.crt


3. Install the client ZoneRestrictor certificates on client machines

Start with the machine where you will initialize the devices. This requires a connection to SafeConsole. Devices that have been initialized can be unlocked on offline machines that have the same certificate present, but they must be initialized on a SafeConsole connected machine:

  • Copy the client.p12 file to that machine and run it. 
  • Accept the prompts in the import wizard.
  • Remove the client.p12 file from this machine to prevent further unauthorized distribution of the certificate
  • Repeat the steps on all machines and user accounts where you want to allow the device to be used. 

4. Enable write protection

  • Login to SafeConsole with an Admin account.
  • Go to Policies tab.
  • Choose the Domain/OU for the users you want to manage.
  • Select Restrictions
  • Check Enable Write Protection on devices.
  • On the drop down select "Activated when outside your Trusted Zone"


5. Configure ZoneBuilder Policy in SafeConsole.

  • Go to Policies tab.
  • Choose the Domain/OU for the users you want to manage.
  • Click ZoneBuilder Then Enable ZoneBuilder
  • Select View Certificates. 
  • Add your new certificate. 
  • Then Select your CA certificate from the dropdown menu. Enter the CA password if required


This now restricts devices outside the Trusted Zone, which in this case is any clients without the client certificate installed, to be read only.