Self-signed certificates are NOT secure. It is recommended to use Let’s Encrypt (configurable via the web service UI) if you do not wish to pay for the cost of a trusted HTTPS certificate.
A self-signed certificate allows you to use a web browser, but does not work with mobile devices. Only trusted third-party certificates work with mobile devices.
This document assumes that ExacqVision Web Service 3.0 or later has been installed with the default settings.
Requirements
You will need the OpenSSL program to create a self-signed certificate. The method of obtaining this program varies based on the operating system used.
Linux – OpenSSL is included by default on all modern Ubuntu distributions. If for any reason it is not, run: sudo apt-get install openssl in a Terminal window and follow the prompts.
Windows – The easiest way is to obtain a pre-compiled executable from SourceForge:
Under the ‘Download’ section, click the link labeled ‘Zip’ beside the row labeled ‘Binaries’.
After downloading, extract (unzip) the contents of this file.
The executables extracted may then be run independently without installation. OpenSSL.exe is located within the ‘bin’ folder of the extracted Zip file contents. The following procedures explain how to continue.
Note: A certificate generated on either platform will work on the other (i.e.- a certificate generated using openssl on Linux can be used with a Windows web service).
Windows Procedure
Open a CMD window.
Navigate into the unzipped directory, then into the ‘bin’ directory in which the recently extracted OpenSSL executable resides.
Create a self-signed certificate by typing the following: openssl.exe req -new -x509 -sha256 -days 365 -nodes -out server.crt -keyout server.key -config ..\share\openssl.cnf
When running this command you will be prompted to enter several fields. Answer the questions according to your needs. COMMON NAME should be the IP address or FQDN that you use to access your ExacqVision Web Service (www.domain.com).
Place the resulting files (server.crt, server.key) according to your ExacqVision Web Service version:
8.4 and above: Use the web service configuration interface to configure HTTPS using the generated files.
Log in to your Web Service Configuration page
Expand the Configuration menu
Click HTTPS
Click Configure
Select External and import your generated .crt and .key files.
Apply the changes
Click the link to restart the web service
3.0 to 8.2: use the file explorer and CMD
place the files in the following directory C:\Program Files[ x86 ]\exacqVision\WebService\Apache\conf
Using CMD, stop the web service: net stop webservice
Using CMD, start the web service: net start webservice
Linux Procedure
Open a Terminal window
Create a self-signed certificate by entering the following command: openssl req -new -x509 -sha256 -days 365 -nodes -out server.crt -keyout server.key
When running this command you will be prompted to enter several fields. Answer the questions according to your needs. COMMON NAME should be the IP address or FQDN that you use to access your ExacqVision Web Service (www.domain.com).
Place the resulting files (server.crt, server.key) according to your ExacqVision Web Service version:
8.4 and above: Use the web service configuration interface to configure HTTPS using the generated files.
Log in to your Web Service Configuration page
Expand the Configuration menu
Click HTTPS
Click Configure
Select External and import your generated .crt and .key files. Apply the changes
Click the link to restart the web service
3.0 to 8.2: use the file explorer and Terminal
place the files in the following directory /etc/evapache
Using Terminal, restart the web service: sudo /usr/local/exacq/webservice/service.sh restart
IMPORTANT For Instructions on current versions of exacqVision Enterprise Manager versions 22.06 or higher see Knowledge Base Article #12804
This document details how to enable HTTPS connections to exacqVision Enterprise System Manager on versions 22.03 or lower.
For a trusted certificate, it is recommended that you purchase a third-party intermediate certificate from one of many online providers. If you are using a third-party certificate you may skip ahead to the section titled, “Obtaining a Third-Party Certificate”.
These steps will detail how to create a self-signed certificate, but be aware that web browsers will warn users that the certificate is untrusted if you are using a self-signed certificate or one from a private/internal certificate authority.
CREATING A SELF-SIGNED SSL CERTIFICATE
Windows
1) Click on the Windows Start button and type ‘CMD’. Right-click on the CMD icon and choose ‘Run as Administrator’.
2) Set the environmental variable that will be used by OpenSSL later by typing:
set OPENSSL_CONF=C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\openssl.cnf
Press Enter.
3) Change your working directory by typing:
cd "C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\bin"
You will be prompted to enter a PEM pass phrase. Enter anything you like but you will need to re-enter this in the following steps.
PEM pass phrase:
5) You will be prompted with several questions for the certificate, answer these according to your needs. COMMON NAME should be the IP address or FQDN that users will access to reach the ESM web site (ex. www.domain.com or esmserver.domain.com).
You will be prompted with a series of questions. – Use data specific to your site. – Items can be left blank with the exception of Common Name – Common Name (e.g. server FQDN or YOUR name) should be the IP address of EM Server
Verify the md5 hashes match, if they DO NOT then see the troubleshooting section below before proceeding.
Step 3 Edit Apache Configuration
cd /usr/local/exacq/esm/apache_solr/apache2/conf/extra
sudo gedit httpd-ssl.conf
Make the following changes, save the file and then close gedit.
Step 4 Restart the enterprise-webservice
sudo service enterprise-webservice stop
sudo service enterprise-webservice start
<br>
OBTAINING A THIRD-PARTY CERTIFICATE
If you are planning to acquire a third-party certificate from a trusted provider, you may need to provide them with a Certificate Signing Request (CSR) file.
Enter all the fields click on the ‘Submit’ button to download the ZIP file. Inside this ZIP file is the CSR file and RSA key to give to your certificate provider.
If you purchased a chained certificate, be sure to download the appropriate intermediate bundle.
Once you have downloaded the files from your provider:
Rename the .crt file to ‘server.crt’.
Rename the .key file to ‘server.key’.
If you have a chained certificate, rename the chain file to ‘server-ca.crt’.
Place the renamed files from your Certificate Authority (CA) into the following directory:
When purchasing an SSL certificate, many providers offer an Intermediate Bundle, or additional certificates that must be present to link your certificate to a root certification authority. Usually the provider will have documentation on how to accomplish this with Apache, but it is a good idea to ask them before or during the purchasing process. Exacq is not responsible for making your certificates capable of working with Apache.
It is possible to combine all the intermediate certificates that a provider may give you into one file. Consult your provider for more information.
<br>
ENABLING SSL FOR HTTPS CONNECTIONS
Be sure that you have followed the steps above to place the certificate files necessary for either a third-party certificate or a self-signed certificate into the correct directory before continuing with the following steps.
Windows
1) Click on the Windows Start menu and find the Windows Notepad program. Right-click on this and choose to ‘Run as Administrator’. If you do not run Notepad as an administrator you will be unable to save your changes.
2) With Notepad open, click on the ‘File’ menu and choose ‘Open’ or press CTRL-O on the keyboard.
In the Open browser, change the drop-down menu for File Type from ‘Text Documents (*.txt)’ to ‘All Files (*.*)’.
Use the Open browser to open the C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf directory and highlight the file titled ‘httpd.conf’ then click ‘Open’.
3) Find the following line:
LoadModule ssl_module modules/mod_ssl.so
Remove any pound (#) sign in front of this line if there is one.
Now, find the following line:
Include conf/extra/httpd-ssl.conf
Remove any pound (#) sign in front of this line if there is one.
Save the file.
4) Still using Notepad, open the file titled ‘httpd-ssl.conf’ located in C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\extra
Find the following line:
ServerName www.example.com:443
Change the ‘www.example.com’ portion of this line to ‘localhost’.
Save the file and close the window.
5) Restart the solrApache service in Windows services (services.msc).
Linux
1) Open a Terminal prompt.
2) Change your working directory by typing:
cd /usr/local/exacq/esm/apache_solr/apache2/conf
Press Enter.
3) You may use any editor you feel comfortable with, such as vi or nano, but if your are more inclined to using a graphical interface you may use a program called ‘gedit’ to make the following changes.
In the Terminal, type:
sudo gedit httpd.conf
Press Enter.
4) Find the following line:
LoadModule ssl_module modules/mod_ssl.so
Remove any pound (#) sign in front of the line if there is one.
Now, find the following line:
Include conf/extra/httpd-ssl.conf
Remove any pound (#) sign in front of the line if there is one.
Save the file and close the ‘gedit’ editor window to return to the Terminal prompt.
5) In the Terminal, type:
sudo gedit extra/httpd-ssl.conf
Press Enter.
Find the following line:
ServerName www.example.com:443
Change the ‘www.example.com’ portion of this line to ‘localhost’.
Save the file and close the window to return to the Terminal prompt.
6) Restart the service in the Terminal by typing:
sudo service ESMWebservice restart
<br>
FORCED REDIRECT FROM HTTP TO HTTPS
If you want to force users who try to access the site on port 80, using HTTP, to use the secure HTTPS connection you will need to enable a redirection.
Windows
1) Click on the Windows Start menu and find the Windows Notepad program. Right-click on this and choose to ‘Run as Administrator’. If you do not run Notepad as an administrator you will be unable to save your changes.
2) With Notepad open, click on the ‘File’ menu and choose ‘Open’ or press CTRL-O on the keyboard.
In the Open browser, change the drop-down menu for File Type from ‘Text Documents (*.txt)’ to ‘All Files (*.*)’.
Use the Open browser to open the C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf directory and highlight the file titled ‘httpd.conf’ then click ‘Open’.
Remove the pound (#) signs in front of these two lines.
Save the file.
4) Restart the solrApache service in Windows services (services.msc).
Linux
1) You may use any editor you feel comfortable with, such as vi or nano, but if your are more inclined to using a graphical interface you may use a program called ‘gedit’ to make the following changes.
Remove the pound (#) signs in front of these two lines.
Save the file and close the ‘gedit’ window to return to the Terminal prompt.
3) Restart the service in Terminal by typing:
sudo service ESMWebservice restart or sudo service enterprise-webservice restart
<br>
TROUBLESHOOTING
1) Some versions of Internet Explorer do not easily work with services running locally or may display pages incorrectly. If this happens, try clearing the browser’s cache by pressing CTRL-F5 on the keyboard. If the problem is persistent try installing another web browser, such as Chrome.
2) If the solrApache service fails to start after configuring it for SSL:
[Wed Mar 04 09:08:54.512004 2017] [ssl:emerg] [pid 19116] AH02565: Certificate and private key www.example.com:443:0 from server.crt and server.key do not match AH00016: Configuration Failed
c) If you see this log entry, complete the following steps:
1) Change your working directory to the location of openssl.exe
Windows (CMD) – cd C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\bin
3) Compare the resulting values output after running each of the preceding commands. Each resulting string should be identical. If the values do not match, confer with the certificate authority that issued the certificate.
exacqVision supports connecting to many cameras using HTTPS. Depending on the camera firmware capabilities and the device type plugin used in exacqVision the level of encryption provided may vary.
Using the IP Camera Integration Database, you may choose to filter the displayed results by devices which support SSL (HTTPS).
<br>
Connecting with HTTPS
When adding a new camera to an exacqVision Server or editing an existing camera connection, the IP Camera Information section on the Add IP Cameras page provides a Protocol drop-down menu. The following options are available:
HTTP
HTTPS If Available
HTTPS Required
Selecting ‘HTTPS If Available‘ does not permit customizing the Port number field. This option will attempt to connect to the camera using HTTPS on port 443. If this attempt fails it will fall back to attempt connection with HTTP on port 80. This may add a small delay to the initial connection as it tests HTTPS first.
Selecting ‘HTTPS Required‘ will only permit connection to the device using HTTPS. If the device cannot accept such a connection the device will fail to connect. You are permitted to change the Port number field should your camera be configured to provide HTTPS over a custom port number.
<br>
HTTPS Connection Symbols
The IP Camera List on the Add IP Cameras page as well as the Camera Recording page provide symbols in the Protocol column allowing you to quickly view which devices are connected with HTTPS and to what level.
An empty field in the Protocol column indicates an HTTP connection.
The gear icon denotes that the connection is made to the device with HTTPS, which encrypts the login credentials to the device, the camera web interface in the Client’s web panels, and CGI commands made to the camera.
A padlock icon in the Protocol column indicates that the HTTPS connection encrypts the credentials, web page, and CGI commands, but also includes encryption of the video stream.
NOTE: HTTPS between the exacqVision software and camera encrypts only the communications between those two devices.
<br>
Enabling HTTPS on Your Camera
Cameras will vary from manufacturer to manufacturer as well as between versions of firmware. Legacy firmware on some devices may require you to apply your own certificate. Many IP cameras today provide HTTPS support out-of-box using self-signed certificates. Below, we examine the settings on an Illustra IQ camera. For other devices, please refer to your device’s documentation.
NOTE: When accessing a camera through the web browser interface using HTTPS, your browser may warn you or prompt you for permission to continue due to having a self-signed certificate. A self-signed certificate can be used to encrypt communication but cannot provide certificate validation. Certificate validation requires the certificate be issued by a Certificate Authority (CA).
Some devices may require you to generate a new self-signed certificate if you have changed the IP address since the last certificate was created.
<br>
Illustra IQ Cameras
Illustra IQ devices provide self-signed certificates out-of-box. When entering the Setup mode of an Illustra IQ camera expand the Security menu, then navigate to the HTTP/HTTPS page, as shown.
This page allows you to configure the port number used. Using the Upload button will allow you to upload your own certificate from a trusted Certificate Authority rather than using the camera’s self-signed certificate.
If you decide to use a certificate from a Certificate Authority you must provide them with a Certificate Signing Request (CSR) from the camera. Each camera requires its own, unique certificate from your CA.
NOTE: Do not use wildcard certificates for this purpose.
To generate a CSR file to provide to your CA, navigate to the Generate CSR page, also found under the Security menu. Complete the form on the left as required for your site and needs, then click Apply. The field to the right will populate. You will copy the data from this field into a new text file, but save it as a .CSR file. If you accidentally save the file as .txt, simply replace the .txt file extension with .csr. Provide this file to your CA.
