This article provides a step by step description of how to create certificates and configure their distribution in the large systems. For some of the steps a domain controller and optionally a Windows Certification Authority are required. It is assumed that these components already exist in the system as setting up of them is out of this document scope.
The camera is signing the hash values with the private key of its HTTPS certificate and saves the video together with the certificate on the iSCSI. During the video authenticity check BVMS Operator Client makes a replay and checks the hash values against the received video footage and verifies the digital camera signature against the certificate installed in its Windows Certificate Store. It uses the certificates installed under trusted root certificates path. The system can handle certificates that are self-signed or signed by a Certification Authority (CA).
When using a CA signed certificate an effort of creating such a certificate for each camera is higher. This however provides a higher security and only 1 CA certificate has to be distributed on each BVMS Operator Client. Nevertheless executed manually for each single large system component this method also consumes an inacceptable amount of time.
If a system DC has a Certification Authority with its own CA certificate configured and the network is properly secured, CM can use this certificate for signing the new created camera certificates .
3. In order to use the CA certificate from Domain Certification Authority, choose Local Machine Certificate Store in the drop down menu:
Once the right certificate is chosen, press Load button.
The loaded certificate is shown under Preferences / Security. This certificate will be automatically used for signing the new created camera certificates.
CM is capable of creating its own MicroCA and sign camera certificates with it. The MicroCA root certificate can be saved in the local Windows Certificate Store, as a smart token using a smart card or as a file on USB stick. The step by step description in this chapter concentrates on the solution with encrypted USB stick and local Windows Certificate Store.
3. Select Current User Certificate Store as Certificate store type, enter the rest of the data in the dialog and press Create button:
4. Select USB File as Certificate store type and location in the encrypted USB stick as Certificate store location, enter the rest of the data in the dialog and press Create button:
Once a root certificate was created, it appears in the CM under Preferences / Security.
CM saves the link to the file with certificate, but not the certificate itself. Once the USB stick is removed no signing with the new created certificate is possible.
CM can use multiple CA certificates for signing, however it is possible to use 1 CA certificate at once. Even though only 1 certificate is used, it has to be replaced regularly once its validity period has expired.
The next certificate can be uploaded or created with load or create buttons like explained in the chapters 1.1 and 1.2.
2. Select multiple cameras, right click on them and choose Certificates / Create Certificate:
3. Click on New:
4. In the signing request generation mask enter the credentials, choose HTTPS server as usage and press Create button. If nothing is entered as a Common name, the certificate’s name will be its camera’s IP address. Please be also aware of restrictions described in the chapter 3. Restrictions
5. In case a CA certificate from USB stick is used, CM will prompt to enter the password of the certificate file that was configured in the chapter1.2.2 MicroCA certificate on USB stick, step 4. Select the check box Remember so that CM can use the password for signing the certificates of all the selected cameras. Otherwise CM will ask for a password for every camera separately. Press OK button to continue.
6. CM requests certificate signing requests from the cameras, signs them with CA certificate from its configuration and uploads the signed certificates back to the cameras. Operation status is shown in the progress bar for every camera separately. Please be aware that older cameras may take some minutes in order to generate a signing request.
Once the certification is done, the dialog window can be closed with the close button.
Please be aware of restrictions described in the chapter 3. Restrictions
7. For video authentication feature in BVMS an authentication method has to be configured in the camera. The setting can be changed in CM under Camera/Video Input while multiple cameras are selected. SHA-256 method is recommended. Once configured press save button.
2. In the Active Directory Users and Computers navigate to Computers on the left side. On the right side right click and select New / Group:
3. Enter the group name and select group scope Global and group type Security. Click OK.
4. Right click the new created computer group and select Properties:
5. Press Add button in order to add the BVMS Operator Client workstations to the group:
7. Enter workstations’ host names and press OK:
The workstations are now added as member computers to the group. Press OK :
8. Reboot the added workstations so that the AD changes take effect immediately.
2. Right click the domain and select Create a GPO in this domain, and Link it here:
3. Enter the group policies' name and click OK:
4. Click on the new created group policy, select Authenticated Users on the right side and press Remove button. This is because certificates should be applied only on the workstations and not on all the members of domain.
5. Click Add button and select the workstation computer group created in the chapter 2.1:
6. Go to the Delegation tab, press Add button:
7. Enter the Authenticated Users and press OK. In the next dialog the permissions should be Read. Press OK.
2. Export certificate as .crt file:
3. Go to Group Policy Management like described in the chapter "Configure a domain policy for workstations group", right click the Workstations Group Policy Object created in the chapter "Create AD computer group for BVMS Operator Client workstations" and select Edit:
4. In the newly opened window on the left side navigate to Policies / Windows Settings / Security Settings / Public Key Policies, right click on the Trusted Root Certification Authorities on the right side and select Import:
5. In the Certificate Import Wizard leave the default settings and click Next:
6. Select the certificate exported in the step 2 and click Next:
7. Leave the default store to import the certificate – Trusted Root Certification Authorities – and click Next:
8. Review the selected options and click on Finish:
9. Once certificate was successfully imported it appears in the Group Policy Management Editor under Policies / Windows Settings / Security Settings / Public Key Policies / Trusted Root Certification Authorities:
It takes some minutes till group policies are applied to all computers by domain. The distributed certificates can be found on every computer that belongs to the group Workstations in MMC console under Certificates / Trusted Root Certification Authorities / Certificates:
In case multiple HTTPS server capable and 1 incapable device are selected, the usage selection is disabled for all of them. Therefore it is recommended to create certificates separately for these 2 groups in order to avoid additional steps. Nevertheless, older device certificates created without usage are utilized for HTTPS connections and video authentication by the camera.
AD Active Directory
BVMS Bosch Video Recording System
CA Certification Authority
CM Configuration Client
CSR Certificate Signing Request
DC Domain Controller