Is the Nx Cloud up? Visit our Status Page for the current health and performance of the Nx Cloud.

Status Page

How to generate and add a self-signed trusted certificate

Nx Support
Updated

Introduction

By default, the Video Management System (VMS) automatically generates and signs the server certificate. However, it's important to note that self-signed certificates can trigger a warning regarding a potential insecure situation. This is because such certificates can be susceptible to man-in-the-middle (MITM) attacks.

We understand the concern and annoyance about these warnings, and we have provided an option to disable the warning through the Local Settings menu. Alternatively, we offer a – better – solution to address this issue by generating a custom self-signed certificate using OpenSSL.

Detailed instructions on how to create and add this certificate are provided below.

By following these steps and adding the custom self-signed certificate, the applications will recognize the certificate as secure, and you will no longer encounter these warning messages.

Instructions

Install OpenSSL

NOTE: The instructions below are for Ubuntu Linux and macOS only, since there are no official releases of OpenSSL for Windows, so assure you choose a reputable resource to obtain OpenSSL for Windows. 

For Linux, you can OpenSSL via your packet manager, or through the terminal with the following command:

sudo apt install openssl

For macOS, you need to have Homebrew or MacPorts installed.
For Homebrew, you can install OpenSSL through the terminal with the following command:

brew install openssl

For MacPorts, you can install OpenSSL through the terminal with the following command: 

To find the available versions:

port search openssl

To install the latest version:

sudo port install openssl<version>

Generating a self-signed certificate

The following steps apply to all supported operating systems. 

  1. Create a directory to store the certificate. Open the terminal and run the following commands with user privileges:
     

    mkdir openssl 
    cd openssl

  2. Generate the certificate key for the certificate: 

    openssl genrsa -out ca.key 2048

  3. Create a configuration file with the following command:

    cat > csr.conf <<EOF
    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    req_extensions = req_ext
    distinguished_name = dn
    [dn]
    C = Country Code (e.g., US)
    ST = State/Province name (e.g., California)
    L = City (e.g., San Francisco)
    O = Department (e.g., IT)
    OU = Department (e.g., IT)
    CN = Organization (Best Company)
    [req_ext]
    EOF

    NOTE: For Windows, create a text file named csr.conf in the OpenSSL directory created in the previous step and paste the contents, except the first and last line.

  4.  Make a CA certificate request:
    openssl req -new -sha256 -key ca.key -out ca.csr -config csr.conf

  5. Generate the CA certificate

    openssl x509 -req -sha256 -days 730 -in ca.csr -signkey ca.key -out ca.crt

    NOTE: In this example command, the number of days was set to 730 days (two years), but any value could be used.

  6. Generate your server key
    openssl genrsa -out server.key 2048
  7. Generate the server certificate request
    openssl req -new -sha256 -key server.key -out server.csr -config csr.conf

  8. Make a server certificate request configuration. On macOS/Linux, use the full command below.

    cat > cert.conf <<EOF
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = Your server name (e.g., localhost, test.com)
    IP.1 = Your server IP address (e.g., 127.0.0.1)
    EOF

    NOTE: For Windows, create a text file named cert.conf in the OpenSSL directory created in the previous step and paste the contents, except the first and last line.

  9. Generate the server certificate
    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile cert.conf

Adding a self-signed certificate to the Server application

Now you’re going to compose a cert.pem certificate file with the files made in the first section of this article. 

  1. Create a new file via a text editor and save it as cert.pem.
    You can use the following command in the terminal to do this: 
     
    touch cert.pem

  2. Open the cert.pem file and add the contents of files created before to the cert.pem file, in the following order:

    ... Server key file contents ...
    ... Server certificate file contents ...
    ... CA certificate file contents …


    Once the content is added, save the file and keep the name cert.pem, otherwise the Server application will not recognize it. More details about this step can be found in the in-client manual, that is included in the VMS.

  3. Stop the server application
    For Linux: Open the terminal and enter the following command;

    sudo service networkoptix-mediaserver stop

    For Windows: Open the task manager, select tab ‘Services’ find the mediaserver application, right-click and select; Stop

  4. Move the cert.pem into your media server ssl directory. 
    For Linux:

    /opt/<%VENDOR.NAME%>/mediaserver/var/ssl

    For Windows:

    C:\Windows\System32\config\systemprofile\AppData\Local\<%VENDOR.NAME%>\<%VENDOR.NAME%> Media Server\ssl

  5. Start the server application

    For Linux: Open the terminal (Ctrl+Alt+T) and enter the following command; 
     

    sudo service networkoptix-mediaserver start

    For Windows: Open the task manager, select tab ‘Services’ find the mediaserver application, right-click and select; Start

Add the CA certificate to the system trusted certificate storage

NOTE: You should use the address as specified in the csr.conf and cert.conf files in section DNS when accessing the VMS Server application, otherwise you’ll get a certificate error.

NOTE: Please repeat these steps for each client you use to connect to the system.

For macOS 

Please refer to the Apple support article: Add certificates to a keychain using Keychain Access on Mac.

For Linux

  1. Move the certificate to the appropriate directory: Open a terminal and copy the certificate file to the certificates' directory using the command:
    sudo mv /path/to/ca.crt /usr/local/share/ca-certificates/
  2. Update the system's certificate store using the update-ca-certificates command:
    sudo update-ca-certificates
  3. Open Firefox and go to the Main menu through the hamburger menu in the top-left and select Options
  4. Select Privacy & Security and scroll down to Certificates
  5. Select View Certificates and the Certificate Manager window opens
  6. Select Authorities and select Import
  7. Locate the created ca.crt certificate file and select Open
  8. Select the Trust this CA to identify websites checkbox and select Ok

NOTE: The provided instructions are for Firefox, since this is the default browser for Ubuntu Linux. If you use another browser, please find the instructions for the preferred browser on the support pages of the applicable browsers. 

For Windows:

  1. Double-click on your CA certificate, a window opens, and select Install Certificate
  2. Select Current user Store Location
  3. Select the Trusted Root Certification Authorities under the Certificate Store
  4. Select Yes on the security warning tab

Related articles

Comments

0 comments

Article is closed for comments.