-----------------------------------
Affected Roles: Administrator, Owner
Related Digital Watchdog VMS Apps: VMAX® Web Viewer
Complexity: Medium
Firmware Version: VMAX® IP Plus™ firmware v1.4.1.1 or newer
Last Edit: April 22, 2021
-----------------------------------
The VMAX® IP Plus™ recording unit can now be used to self-generate and implement a Hypertext Transfer Protocol Secure (HTTPS) Certificate to better protect user information and user connections. By combining the Hypertext Transfer Protocol (HTTP) and Secure Socket Layer (SSL) technology, the VMAX® unit can be set up to run device and user information through a cryptographic hash function to obscure user logins, video streams, network information, and etc. from potentially malicious actors.
This article will outline the difference between a purchased HTTPS Certificate compared to a self-generated HTTPS Certificate, how to create a self-generated certificate, and how to import a purchased certificate to set up an HTTPS connection for a VMAX® IP Plus™.
The HTTPS function of the VMAX® IP Plus™ combines the Hypertext Transfer Protocol (HTTP) and Secure Socket Layers (SSL) to encrypt and decrypt information, such as digital signatures and authentication codes, typically between a server and a browser. By utilizing an SHA-256 (256-bit) algorithm when creating cryptographic hash, strings of data are converted into a fixed hexadecimal code of 64-character or more.
As a result, information that is run through this engine is computed quickly and can be authenticated by the sending node prior to transmitting the message.
If the receiving node attempts to decode the encrypted hash, and any changes were made during the transmission by a malicious actor, the received information would differ from the original hash (encrypted code) and would not be authenticated by the system. Additionally, the malicious actor would not be able to decode the encrypted information without the encryption key data that was created when the VMAX® signed the certificate. This considerably mitigates the possibility of unwanted interception of data.
The primary difference between a certificate that was purchased from a certificate authority and a Self-Generated Certificate that was created by the VMAX unit itself is in how a connecting web browser is likely to respond.
A certificate that was purchased from a widely recognized certificate authority of HTTPS Certificates will be accepted by most web browsers. However, a Self-Generated Certificate that was created through the device (in this case, a VMAX® unit), will be flagged by a browser and will display a warning as the certificate “was not issued by a trusted certificate authority”.
Despite the fact that a self-generated HTTPS Certificate will not be recognized as being issued by a certificate authority, the SHA 256-bit encryption of a self-generated certificate is just as secure as a purchased certificate. If you encounter this message after setting up the HTTPS connection, simply continue to the website.
The VMAX® IP Plus™ recording unit is capable of self-generating an HTTPS Certificate from either directly at the recording unit itself or through the VMAX® Web Viewer using a web browser.
**NOTE: The time zone of the recording unit must be set up before generating a certificate. The time setting for both the NVR and NTP server must match. Otherwise, skipping this step may impact the validity of the generated certificate and the application time may vary. Please consult your User Manual for System Information setup.
To create a self-generated HTTP Certificate directly at the VMAX® recorder:
The Setup Menu will display. Click on Network, then select the Network menu.
Enable the Use HTTPS setting. By default, the HTTPS Port will be set to Port 443. If needed, change the HTTPS Port value.
To self-generate an HTTPS Certificate using the VMAX® recorder, click the Generate button.
**NOTE: The HTTPS Port value cannot use the same port number as another device on the LAN.
The fields with an asterisk (*) are mandatory. The more information that is provided in the form, the more secure the certificate authentication will be.
Configure the following information:
Click the OK button to close the confirmation message.
After selecting the certificate, click the View button to view the certificate and the encryption.
The VMAX® IP Plus™ can now be securely connected with using an HTTPS connection. When connecting using a web browser, be sure to enter “https://” before entering the IP address or URL of the recording unit to use the secure HTTPS connection.
To create a self-generated HTTP Certificate using the VMAX® Web Viewer:
Log in as the Administrator of the VMAX® unit.
From the Setup menus, click on the Network tab, then select Certificate Generation.
To create a self-generated HTTPS Certificate through the VMAX® Web Viewer, complete the registration form.
The fields with an asterisk (*) are mandatory. The more information that is provided in the form, the more secure the certificate authentication will be.
Configure the following information:
Click the OK button to close the message.
Click on the Select Certificate box and select the HTTPS Certificate.
Click the View button to view the certificate and the encryption.
The VMAX® IP Plus™ can now be securely connected with using an HTTPS connection. When connecting using a web browser, be sure to enter “https://” before entering the IP address or URL of the recording unit to use the secure HTTPS connection.
Another way that an HTTPS Certificate can be obtained is by purchasing the material from a recognized seller. Purchased certificates that were imported to a VMAX® IP Plus™ will automatically be recognized by a web browser when connecting through HTTPS.
The certificate file can be imported either directly at the recording unit itself or through the VMAX® Web Viewer.
**NOTE: Importing an HTTPS Certificate directly at the VMAX® unit requires the use of a FAT32 USB stick. Any external storage device that is not formatted to FAT32 format will not be recognized by the standalone unit.
**NOTE: All files that will imported directly at the recording unit must be placed in the root directory of the USB stick. If a file is stored in a folder, the VMAX® unit will not be able to access the file.
To import a purchased HTTP Certificate directly at the VMAX® recorder:
The Setup Menu will display. Click on Network, then select the Network menu.
Enable the Use HTTPS setting. By default, the HTTPS Port will be set to Port 443. If needed, change the HTTPS Port value.
To self-generate an HTTPS Certificate using the VMAX® recorder, click the Import button.
**NOTE: The HTTPS Port value cannot use the same port number as another device on the LAN.
Once the certificate file has been detected, select the Type of certificate file that will be imported, then click the Import button. A confirmation message will display.
Click the OK button to close the message.
**NOTE: If the NVR does not detect the USB stick, make sure that the USB is using FAT32 format. Additionally, make sure that the file is not in a folder and is placed in the root directory of the USB stick.
After importing the HTTPS Certificate, click on the Select Certificate box and select the HTTPS Certificate.
After selecting the certificate, click the View button to view the certificate and the encryption.
The VMAX® IP Plus™ can now be securely connected with using an HTTPS connection. When connecting using a web browser, be sure to enter “https://” before entering the IP address or URL of the recording unit to use the secure HTTPS connection.
To import an HTTP Certificate using the VMAX® Web Viewer:
Log in as the Administrator of the VMAX® unit.
From the Setup menus, click on the Network tab, then select Certificate Importation.
Click in the Certificate Name box and enter the name of the certificate.
Next, click the Browse button and select the certificate file that needs to be imported.
Click on the Select Certificate box and select the HTTPS Certificate.
Click the View button to view the certificate and the encryption.
The VMAX® IP Plus™ can now be securely connected with using an HTTPS connection. When connecting using a web browser, be sure to enter “https://” before entering the IP address or URL of the recording unit to use the secure HTTPS connection.