You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close

DW Spectrum IPVMS SSL Certificate Management

DW Spectrum® IPVMS SSL Certificate Management

-----------------------------------

Affected Roles:  Administrator, Owner

Related Digital Watchdog VMS Apps:  DW Spectrum® IPVMS

Software Version:  DW Spectrum v4.2 and newer

Complexity:  Medium

Last Edit:  July 7, 2022

-----------------------------------

Secure Socket Layer (SSL)

DW Spectrum Servers utilize a self-signed Secure Socket Layer (SSL) certificate by default.  SSL certificates are small data files that digitally bind a cryptographic key to an organization’s details such the public key and the owner of a website or server.  These data packets are transmitted between the DW Spectrum Server and the requesting client with digitally signed acknowledgements to start an SSL encrypted session.

As a result, the data packets containing the requested information that are sent over the encrypted session can only be decoded by the designated receiving node(s).  By combining this with the HTTPS protocol, this acts as a “protective lock” on the data during the transfer to better mitigate malicious agents (cybercriminals) that may be attempting to intercept or eavesdrop on sensitive information.

This article will outline how to modify the self-signed certificate of a DW Spectrum Server to utilize a certificate that purchased from an official certificate provider instead.

SSL Certificate Authorities

By default, the DW Spectrum System will create its own SSL certificate, which is referred to as a “self-signed certificate”.  However, while still considered to be secure and encrypted, self-signed certificates are not easily recognized by web browsers as ‘trustworthy’ in comparison to using an SSL certificate that was purchased from a common certificate authority.

If you wish to purchase a certificate rather than utilize a self-signed SSL certificate, the most recognized SSL certificate providers can be found here:

https://www.techradar.com/news/best-ssl-certificate-provider

DW Spectrum Client Application Warning

If the an affiliated DW Spectrum Server is using version 4.2 or higher, the mobile application will attempt to verify that the target Server is using an SSL Certificate for security. However, a notification will display alerting an SSL certificate verification issue if the DW Spectrum Server is using the default Self-Signed SSL Certificate that is generated automatically.

While valid, this is due to the Server using a self-signed certificate as opposed to using a public certificate that has been purchased from a recognized certificate provider. Select “Connect Anyway” to confirm that you trust the current Server. This message will not display the next time that you connect with the Server as long as its SSL Certificate remains valid.

 The following prompt may display:

Checking SSL Certificate Validity & Information

To check the validity of a Server’s SSL Certificate and its expiration date, connect to the Server’s Web Admin and click the “Not Secure” indicator in the address bar.

The certificate’s status will display. Review the details as needed.

A self-signed SSL Certificate that was generated automatically by the DW Spectrum Server is considered as a valid certification despite not being distributed by public certificate dealer. You can identify a self-signed certificate if the “Issued to” and “Issued by” details are “Digital Watchdog”.

Applying a Purchased SSL Certificate

Part 1:  Locating the SSL Certificate

If you have purchased an SSL certificate from a recognized authority and would like to apply it to the DW Spectrum Server, you must first find where the self-signed certificate (cert.pem) is located.

The SSL Certificate file can be found in the following directories:

  • Systems Using Windows OS:
C:\Windows\System32\config\systemprofile\AppData\Local\Digital Watchdog\Digital Watchdog Media Server\ssl
  • Systems Using Ubuntu OS:
/opt/digitalwatchdog/mediaserver/var/ssl

Part 2:  Modifying the Self-Signed SSL Certificate

After locating the file cert.pem, perform the following steps:

  1. Stop the DW Spectrum Media Server.
    • Windows OS
  1. Locate the Service Tray on the Windows Task Bar.
  2. Right-click on the DW Media Server icon and select Stop server (started).

    • Ubuntu OS
  1. Open the Terminal program on the Linux computer.  You can do this by using the Search function in the system Unity menu.

Alternatively, you can simultaneously press the Ctrl+Alt+T keys on the keyboard to launch the Terminal program.

The Terminal window will display.

  1. Log in as the root Administrator by using:
sudo su
  1. When prompted, enter the root admin password. Text will not display while typing the root admin password.
Dw5pectrum

**NOTE:  For older DW Blackjack units purchased prior to June 18, 2021, the previously utilized default Linux OS login was “admin/admin”.

  1. Next stop the DW Media Server with:
service digitalwatchdog-mediaserver stop
  1. After stopping the DW Media Server, open the cert.pem file. 

Both the self-signed cert.pem file and purchased certificate should be text files, so it may be easiest to use an application such as Notepad to make the edits.

  1. Next, edit the cert.pem file.

Copy and replace the private key and certificate content with the purchased SSL certificate information.

-----BEGIN PRIVATE KEY-----

<...insert new private key replacement here ...>

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

<...enter new certificate replacement here ...>

-----END CERTIFICATE-----
  1. After replacing the Private Key and Certificate text with the new text of the purchased certificate, save the modified cert.pem file to retain the changes.
  1. When ready, start the DW Spectrum Media Server.
    • Windows OS
  1. Locate the Service Tray on the Windows Task Bar.
  2. Right-click on the DW Media Server icon and select Start Server (stopped).

  • Ubuntu OS
  1. Start the DW Media Server in the Terminal program with the command:
service digitalwatchdog-mediaserver start

This completes the modification of the cert.pem SSL certification file.

Expired Self-Signed SSL Certificate for a DW Spectrum Server

If a DW Spectrum Server’s SSL Certificate (self-signed or public) has expired, the following prompt will appear:

Enable (check) the “Trust this server” checkbox and select “Connect Anyway” to continue with connecting to the Server. This prompt will continue to appear each time you attempt to connect with the Server until the certificate has been renewed.

Alternatively, you can disable the SSL Certificate verification setting in the DW Spectrum Mobile application, but this is not recommended as it will lower the security level of your connection.

Renewing (Recreating) an Expired Self-Signed SSL Certificate

A new cert.pem file can be generated and will be valid for up to one year after it has been re-created by the system.

To renew (re-create) another self-signed SSL certificate for DW Spectrum:

  1. Stop the DW Spectrum Media Server.
  • Windows OS
  1. Locate the Service Tray on the Windows Task Bar.
  2. Right-click on the DW Media Server icon and select Stop server (started).

  • Ubuntu OS
  1. Open the Terminal program on the Linux computer.  You can do this by using the Search function in the system Unity menu.

Alternatively, you can simultaneously press the Ctrl+Alt+T keys on the keyboard to launch the Terminal program.

  1. The Terminal window will display.

Log in as the root Administrator by using:

sudo su
  1. When prompted, enter the root admin password (will not display). 
Dw5pectrum

**NOTE:  For older DW Blackjack units purchased prior to June 18, 2021, the previously utilized default Linux OS login was “admin/admin”.

  1. Next stop the DW Media Server with:
service digitalwatchdog-mediaserver stop
  1. Next, locate the old self-signed certificate file labeled “cert” (cert.pem file).
  • Systems Using Windows OS:
C:\Windows\System32\config\systemprofile\AppData\Local\Digital Watchdog\Digital Watchdog Media Server\ssl
  • Systems Using Ubuntu OS:
/opt/digitalwatchdog/mediaserver/var/ssl

Once located, right-click on the file and select “Delete” to remove the old self-signed certificate file.

  1. After deleting the old self-signed certificate, start the DW Spectrum Media Server. A new cert.pem file will be generated and will display in the same SSL folder where the old file was previously located.

This renewed certificate will be valid for up to one (1) year following this re-creation.

    • Windows OS
  1. Locate the Service Tray on the Windows Task Bar.
  2. Right-click on the DW Media Server icon and select Start Server (stoppe.

  • Ubuntu OS
  1. Start the DW Media Server using the Terminal program with the command:
service digitalwatchdog-mediaserver start
  • 135
  • 09-Jul-2022
  • 4230 Views