Introduction
By default, the Video Management System (VMS) automatically generates and signs the server certificate. However, it's important to note that self-signed certificates can trigger a warning regarding a potential insecure situation. This is because such certificates can be susceptible to man-in-the-middle (MITM) attacks.
We understand the concern and annoyance about these warnings, and we have provided an option to disable the warning through the Local Settings menu. Alternatively, we offer a – better – solution to address this issue by generating a custom self-signed certificate using OpenSSL.
Detailed instructions on how to create and add this certificate are provided below.
By following these steps and adding the custom self-signed certificate, the applications will recognize the certificate as secure, and you will no longer encounter these warning messages.
Instructions
Install OpenSSL
NOTE: The instructions below are for Ubuntu Linux and macOS only, since there are no official releases of OpenSSL for Windows, so assure you choose a reputable resource to obtain OpenSSL for Windows.
For Linux, you can OpenSSL via your packet manager, or through the terminal with the following command:
sudo apt install openssl
For macOS, you need to have Homebrew or MacPorts installed.
For Homebrew, you can install OpenSSL through the terminal with the following command:
brew install openssl
For MacPorts, you can install OpenSSL through the terminal with the following command:
To find the available versions:
port search openssl
To install the latest version:
sudo port install openssl<version>
Generating a self-signed certificate
The following steps apply to all supported operating systems.
-
Create a directory to store the certificate. Open the terminal and run the following commands with user privileges:
mkdir openssl
cd openssl -
Generate the certificate key for the certificate:
openssl genrsa -out ca.key 2048
-
Create a configuration file with the following command:
cat > csr.conf <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = Country Code (e.g., US)
ST = State/Province name (e.g., California)
L = City (e.g., San Francisco)
O = Department (e.g., IT)
OU = Department (e.g., IT)
CN = Organization (Best Company)
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = Your server name (e.g., localhost, test.com)
IP.1 = Your server IP address (e.g., 127.0.0.1)
EOFNOTE: For Windows, create a text file named csr.conf in the OpenSSL directory created in the previous step and paste the contents, except the first and last line.
- Make a CA certificate request:
openssl req -new -sha256 -key ca.key -out ca.csr -config csr.conf
-
Generate the CA certificate
openssl x509 -req -sha256 -days 730 -in ca.csr -signkey ca.key -out ca.crt
NOTE: In this example command, the number of days was set to 730 days (two years), but any value could be used.
- Generate your server key
openssl genrsa -out server.key 2048
- Generate the server certificate request
openssl req -new -sha256 -key server.key -out server.csr -config csr.conf
-
Make a server certificate request configuration. On macOS/Linux, use the full command below.
cat > cert.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = Your server name (e.g., localhost, test.com)
EOFNOTE: For Windows, create a text file named cert.conf in the OpenSSL directory created in the previous step and paste the contents, except the first and last line.
- Generate the server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile cert.conf
Adding a self-signed certificate to the Server application
Now you’re going to compose a cert.pem certificate file with the files made in the first section of this article.
-
Create a new file via a text editor and save it as cert.pem.
You can use the following command in the terminal to do this:
touch cert.pem
-
Open the cert.pem file and add the contents of files created in step 1 to the cert.pem file, in the following order:
... Server key file contents ...
... Server certificate file contents ...
... CA certificate file contents …
Once the content is added, save the file and keep the name as cert.pem, otherwise the Server application will not recognize it. More details about this step can be found in the in-client manual, that is included in the VMS. -
Stop the server application
For Linux: Open the terminal and enter the following command;sudo service networkoptix-mediaserver stop
For Windows: Open the task manager, select tab ‘Services’ find the mediaserver application, right-click and select; Stop
-
Move the cert.pem into your media server ssl directory.
For Linux:/opt/<%INSTALLER.NAME%>/mediaserver/var/ssl
For Windows:
C:\Windows\System32\config\systemprofile\AppData\Local<%COMPANY.NAME%>/<%COMPANY.NAME%> Media Server\ssl
-
Start the server application
For Linux: Open the terminal (Ctrl+Alt+T) and enter the following command;
sudo service networkoptix-mediaserver start
For Windows: Open the task manager, select tab ‘Services’ find the mediaserver application, right-click and select; Start
Add the CA certificate to the system trusted certificate storage
NOTE: You should use the address as specified in the csr.conf and cert.conf files in section DNS when accessing the VMS Server application, otherwise you’ll get a certificate error.
NOTE: Please repeat these steps for each client you use to connect to the system.
For macOS
Please refer to the Apple support article: Add certificates to a keychain using Keychain Access on Mac.
For Linux
- Move the certificate to the appropriate directory: Open a terminal and copy the certificate file to the certificates' directory using the command:
sudo mv /path/to/ca.crt /usr/local/share/ca-certificates/
- Update the system's certificate store using the update-ca-certificates command:
sudo update-ca-certificates
- Open Firefox and go to the Main menu through the hamburger menu in the top-left and select Options
- Select Privacy & Security and scroll down to Certificates
- Select View Certificates and the Certificate Manager window opens
- Select Authorities and select Import
- Locate the created ca.crt certificate file and select Open
- Select the Trust this CA to identify websites checkbox and select Ok
NOTE: The provided instructions are for Firefox, since this is the default browser for Ubuntu Linux. If you use another browser, please find the instructions for the preferred browser on the support pages of the applicable browsers.
For Windows:
- Double-click on your CA certificate, a window opens, and select Install Certificate
- Select Current user Store Location
- Select the Trusted Root Certification Authorities under the Certificate Store
- Select Yes on the security warning tab
Comments
0 comments
Article is closed for comments.