Certificate Management | Installing and maintaining certificates in IP Cameras 1 | 14

Certificate Management
Installing and maintaining certificates in IP Cameras

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 2 | 14

Table of contents

Introduction 3

Manual Certificate Management using MicroCA 3

Initializing the MicroCA 3

Signing device certificates 3

Integrated Certificate Management and Automation 4

Certificate Management using RCP+ and HTTP(S) 4

Certificate Management using SCEP 10

Glossary 13

References 13

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 3 | 14

Introduction
Cybersecurity is an important topic for IP cameras as they are increasingly used as IoT (Internet of Things) devices,
connected to cloud services or reachable via the Internet, requiring additional security measures.

One of the measures is using certificates to protect access and communication as well as manage authentication and
authorization.

The following document is intended to describe options for certificate management and integration of Bosch Video
Surveillance Cameras into Public Key Infrastructure.

Manual Certificate Management using MicroCA

The Configuration Manager is a free tool for configuration of a wide variety of Bosch IP video devices.

The MicroCA functionality in the Configuration Manager program is an easy-to-use tiny certificate authority (CA) that
facilitates the management of small to medium systems.

For the full-featured description of the MicroCA, please refer to chapter 5.18 in the manual of Configuration Manager 7.0.

Initializing the MicroCA

The MicroCA functionality in the Configuration Manager program is an easy-to-use tiny certificate authority (CA).

It allows to create a root CA certificate, stored either on a Smart Token, a USB stick, or in the file system.
Choose your preferred method based on the security level to be achieved.
After the CA certificate is created, it can be immediately used for signing other certificates.

When using a file-based CA certificate make sure to store it on a USB flash stick kept in a safe place.
We also recommend that you create a security copy to reduce the risk of losing your CA certificate.
Preferably, use a USB token or smart card. Check the release notes for a list of supported crypto hardware.

Signing device certificates

One of the main purposes of the MicroCA functionality is to deploy certificates to devices.
To achieve this, you will replace a self-signed certificate by a MicroCA signed certificate.

For signing, you will need your MicroCAcrypto token or USB drive, and you need to enter the MicroCA PIN to authorize its
use.

In order to secure device access by using certificates you need to change the devices authentication mode.
To sign device certificates, follow the detailed steps in the Configuration Manager manual

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 4 | 14

Integrated Certificate Management and Automation

Bosch IP cameras provide various ways to have their certificates installed and maintained. One way is to use the
proprietary protocol RCP+ (Remote Control Protocol plus) in combination with HTTP/S to upload and download certificates.
Another way is to use a standard protocol also used in PKI environments, like SCEP (Simple Certificate Enrollment
Protocol), which is for example used in Microsoft’s Active Directory service NDES (Network Device Enrollment Service).

Other than manual certificate management, as with MicroCA in Configuration Manager, these methods allow deeper
integration into PKI environments with a certain degree of automation.

Certificate Management using RCP+ and HTTP(S)

The following describes various sequential steps to be executed on the command line of a PC or server, using OpenSSL
library to create the necessary CA certificates, and the respective actions to load the certificates onto the camera.

In this example we use alias names for the files according to the following naming convention:

FILENAME DESCRIPTION

yourcompanyca Name of the certificate

yourcompanyca.key Private key of the CA certificate

yourcompanyca.crt CA certificate

yourcompanycakey.pem Encrypted CA private key in PEM format

yourcompanyca.pem PEM file holding CA certificate and encrypted CA private key

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 5 | 14

3.1.1 Prepare CA Certificates for testing purpose

In a PKI environment, a Certificate Authority with respective certificates would already exist.

In our test setup, we need to prepare ourselves manually.

The following steps are required and can be used for automation by e. g. command line or shell scripting.

1. Generate key for YourCompany CA

OpenSSL> genrsa -out yourcompanyca.key 2048

This is generating an RSA private key, 2048 bit long modulus (2 primes) where e is 65537 (0x010001), and stores it in a
key file.

2. Create YourCompany CA certificate

OpenSSL> req -x509 -new -nodes -key yourcompanyca.key -sha256 -days 1024 -out
yourcompanyca.crt

You will be asked to enter information that will be incorporated into your certificate request.
What you need to enter is what is called a Distinguished Name, or a DN.
There are quite a few fields, but you can leave some blank.
For some fields there will be a default value; in such case, if you enter '.' the field will be left blank.
Country Name (2 letter code) [AU]:de
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:Nbg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bosch
Organizational Unit Name (eg, section) []:XXX
Common Name (e.g. server FQDN or YOUR name) []:yourcompanyca
Email Address []:

3. Encrypt the YourCompany CA key

As an optional step, you may want to encrypt the key of YourCompany CA.
In our example, password chosen is “password”.

OpenSSL> pkcs8 -topk8 -inform PEM -in yourcompanyca.key -v2 AES-256-CBC -outform PEM -out
yourcompanycakey.pem
Enter Encryption Password: password
Verifying - Enter Encryption Password: password

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 6 | 14

5. Concatenate Certificate and Keys

Now concatenate the contents of the files yourcompanycakey.pem and yourcompanyca.crt to another file named
yourcompanyca.pem.
This file will then be uploaded to the camera. Here curl is used as an example.

curl.exe --digest -u service:camera_password -s -F

"certUsageUnspecified=@.\yourcompanyca.pem" http://192.168.1.30/upload.htm

The response from the camera is like this, which is HTML code of the upload page.

<table border="1" cellspacing="0" cellpadding="0" bordercolorlight="#FFFFFF"

bordercolordark="#1884FF"><tr><td><table border="0" cellspacing="0"
cellpadding="0" style="padding: 10px"><tr><td style="padding: 10px"><p
style="margin-left: 6">Software update:</p></td><td style="padding: 10px"><form
method="POST" action="upload.htm" enctype="multipart/form-data"><table border="0"
cellspacing="0" cellpadding="0"><tr><td style="padding-bottom: 10px">Password
(only for config):</td><td><input type="password" name="pwd"
size="30"</td></tr><tr><td>File:</td><td><input type="file" name="net.bin"
size="20" maxlength="8000000"></td></tr></table></td><td style="padding:
10px"><input type="submit" value="Upload" name="Set"
border="0"></td></form></tr></table></td></tr></table>

The curl call will use this form, like shown below, fill it out in the background, and send it to the camera.

In the camera’s certificates webpage, you can see the uploaded certificate.
Since our key is encrypted, a key icon is shown and the key column shows a dash sign, which means the camera did not
yet decrypt the certificate key.

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 7 | 14

6. Decrypt optionally encrypted key

If you chose to work with an encrypted key, as done in step 3, now decrypt the certificate key by providing the password via
RCP+ command CONF_CERTIFICATE_REQUEST (0x0bec).
Alternatively, and in a manual approach, you can enter this password by clicking the key icon in the last column on the
webpage, though this would less likely allow for automation.

http://192.168.1.30/rcp.xml?command=0x0BEC&type=P_OCTET&direction=WRITE&num=1&payload=0x0009
000073676663610008000200000004000c000b70617373776f7264

Description of payload:
0009 => length of tag
0000
7367666361 ascii for ‘yourcompanyca’, in our case ‘sgfca’
0008 => length of tag
0002
00000004 => decrypt private key
000c => length of tag
000b
70617373776f7264 ascii for "password"

Now you can see that the camera has decrypted the certificate and certificate has a private key stored in the camera by the
green tick icon.

7. Define certificate usage

Now you need to assign the certificate to its usage with the RCP+ command CONF_CERTIFICATE_USAGE (0x0bf2).
For assigning ‘yourcompanyca’ certificate for HTTPS usage the command is:

http://192.168.1.30/rcp.xml?
command=0x0BF2&type=P_OCTET&direction=WRITE&num=1&payload=0x00080000000000000009000173676663
61

Description of payload:
0008 => length
0000
00 00 00 00 => HTTPS
0009 => length
0001
7367666361 => ascii for ‘yourcompanyca’, in our case ‘sgfca

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 8 | 14

3.1.2 CSR Generation and subsequent Certificate Installation

Alternative to loading an external certificate to the camera, we can use a more secure way of creating the camera’s
certificate.
The most secure way is to have the camera create its own key pair and keep them inside the hardware-protected key vault,
also called Secure Element.
A certificate signing request is the method to have a new certificate, which uses this key pair, installed in the camera by
having a CA sign such a signing request.

1. Generate a Certificate Signing Request

For generating a certificate signing request, use the RCP+ command CONF_CERTIFICATE_REQUEST(0x0bec).
This generates a private key in the camera and a CSR which can be passed to a CA for signing a new certificate.
Since the generation of the CSR takes some time, the progress can be queried via
CONF_CERTIFICATE_REQUEST_PROGRESS (0x0bf0).

http://192.168.1.30/rcp.xml?
command=0x0BEC&type=P_OCTET&direction=WRITE&num=1&payload=0x000C0000746573747369676E00080001
000000010008000200000000001400050074006500730074007300690067006E000E00060042006F007300630068
000A0007006500740070000A0008006E0062006700080009006400650010000A00620061007900650072006E

Description of the payload:

000C => length
0000 => tag label string
746573747369676E => name of signing request, here ‘testsign’
0008
0001 => tag key type
00000001 => RSA 2048
0008
0002 => tag type
00000000 => create pkcs#10 csr
0014
0005 => tag common name
0074006500730074007300690067006E => ‘testsign’
000E
0006 => tag org name
0042006F007300630068 => ‘Bosch’
000A
0007 => tag unit name
006500740070 => ‘etp’
000A
0008 => tag locality name
006E00620067 => ‘nbg’
0008
0009 => tag country name
00640065 => de
0010
000A => tag state name
00620061007900650072006E => ‘bayern’

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 9 | 14

2. Check the progress of CSR generation

The RCP command CONF_CERTIFICATE_REQUEST_PROGRESS (0x0bf0) can be used to check the progress of a CSR
generation.

http://192.168.1.30/rcp.xml?message=0x0bf0&collectms=1000

Example reply:
0x000c00000000000000000064000c0001746573747369676e

Description of payload:
000c => length
0000 => tag 0
00000000 => create pkcs#10 csr
00000064 => progress counter, 0x64 = 100% request completed successfully
000c => length
0001 => tag 1
746573747369676e => ‘testsign’

Once the CSR generation is completed, the CSR can be download from the link as shown below. Similarly, the label of
certificate/signing request can be changed to download others.

http://192.168.1.30/cert_download/testsign.pem?type=csr

3. Get the CSR signed, and Certificate imported

The CSR can now be sent to the Registration Authority (RA). Once the RA provides the signed certificate, it can be
uploaded to the camera in the similar way. CSR will be deleted and replaced by the imported certificate when keys of
certificate and private key match.

4. Define certificate usage

Don’t forget to assign a usage to this certificate, like in step 6 in the manual procedure above.

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 10 | 14

Certificate Management using SCEP

3.2.1 Introduction to SCEP (Simple Certificate Enrollment Protocol)

In Windows domains, but not exclusively, certificates can be managed using services and protocols to achieve some level
of automation for certificate management and distribution.

Active Directory Certificate Services (AD CS), include - beyond others - a role service called Network Device Enrollment
Service (NDES), which implements the Simple Certificate Enrollment Protocol (SCEP).

SCEP defines the communication between network devices and a Registration Authority (RA) for certificate enrollment and
is defined in detail in https://tools.ietf.org/html/draft-nourse-scep-18.

SCEP is intended to significantly simplify the requesting and issuing of certificates in internal, trustworthy networks by
allowing the device to fetch the certificate itself. To ensure that this is not misused, an authorized person must first create a
"one-time password", which is then made available to the device.
The end device can then request a certificate from the SCEP service using this temporary password, which on Windows
typically expires after 60 minutes.
Each SCEP request is identified by a transmission identifier that is generated by the client and uniquely identifies the
request.

With the SCEP protocol, the client sends an HTTP request to the Certification Authority (CA), asking for its certificate and
the Registration Authority's certificate, if available. This certificate is used for all subsequent communication with the CA.
The SCEP message is signed and packaged in a PKCS#7 message including the certificate.

To allow manual confirmation, the answering by the CA can be deferred.

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 11 | 14

3.2.2 Triggering a Bosch camera for initiating a SCEP request

A SCEP request is triggered by using the same RCP+ command CONF_CERTIFICATE_REQUEST (0x0bec) we already
know from the former examples.

Beyond some mandatory tags, we need to fill the SCEP-specific ones:

- one to define the SCEP operation,
- one to specify the path to the service on a Windows server,
- and one with the one-time password.

Let’s assume our service is provided on a host 192.168.1.131, providing the SCEP service via port 2016, then this needs to
be encoded into the command as CA server, its port tag, and the respective service path, in our case ‘scep’.

Let’s also assume a fictitious value 'secret' as one-time password to be coded into the command.

http://192.168.1.30/rcp.xml?command=0x0BEC&type=P_OCTET&direction=WRITE&num=1&payload=0x000C
0000546573745343455000080001000000010008000200000005001100033139322E3136382E312E313331300080
004000007E00008000d73636570000a000e736563726574

Then, this command will allow us to test SCEP at the URL ‘192.168.1.131:2016/scep’, with having the challenge password
‘secret’ and the name ‘TestSCEP’ of the certificate defined by the label string.

Description of payload:
000C => length for tag 0
0000 => tag 0: Label
5465737453434550 => string ‘TestSCEP’
0008 => length for tag 1
0001 => tag 1: Key Type (optional)
00000001 => RSA 2048 Bit
0008 => length for tag 2
0002 => tag 2: Type
00000005 => SCEP certificate enrollment
0011 => length for tag 3
0003 => tag 3: CA Server FQHN
3139322E3136382E312E3133313 => IP string "192.168.1.131"
0008 => length for tag 4
0004 => tag 4: CA Server Port
000007E0 => port 2016
0008 => length for tag 13
000d => tag 13: Service Path
73636570 => string "scep"
000a => length for tag 14
000e => tag 14: Challenge Password
736563726574 => password string ‘secret’

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 12 | 14

The process and progress can be checked on the camera’s web page.
Once the command is issued, the triggered signing request becomes visible in the certificates list.

When the SCEP server has responded and provided a signed certificate, the final certificate appears.

This certificate can then be assigned with a usage in the same way as described in previous chapters.

With these two commands integrated in command line or shell scripting and triggered by PKI management activities or
regular maintenance schedules, a (semi-)full automation for certificate management can be achieved, reducing
administration effort to a minimum.

The steps may be repeated in adapted form to install more and other certificates on the camera.

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 13 | 14

Glossary

TERM / ABBREVIATION EXPLANATION

CSR Certificate signing request. In public key infrastructure (PKI) systems, a certificate
signing request (also CSR or certification request) is a message sent from an
applicant to a certificate authority to apply for a digital identity certificate.
https://en.wikipedia.org/wiki/Certificate_signing_request

Firmware Software, that is persistently installed and provides all functionality of an embedded
device.

PKCS Public Key Cryptography Standards, a group of de facto standards devised and
published by RSA Security Inc.
https://en.wikipedia.org/wiki/PKCS

RCP Remote Control Protocol, a proprietary protocol used to configure and control Bosch
IP video devices.

References

1. SCEP specification
https://datatracker.ietf.org/doc/rfc8894/

2. Microsoft TechNet, Active Directory Certificate Services (AD CS): Network Device Enrollment Service (NDES)
https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-
device-enrollment-service-ndes.aspx?WT.mc_id=M365-MVP-6771

3. Microsoft Tech Community, NDES Security Best Practices

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ndes-security-best-practices/ba-p/2832619

RCP command reference documents are included with every firmware package, linked to camera product catalog pages.

Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 14 | 14

Bosch Sicherheitssysteme GmbH

Robert-Bosch-Ring 5
85630 Grasbrunn
Germany
www.boschsecurity.com
© Bosch Sicherheitssysteme GmbH, 2023

Data subject to change without notice | April 23 Security Systems / Video Systems