Professional Documents
Culture Documents
Certificate Management
Installing and maintaining certificates in IP Cameras
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 2 | 14
Table of contents
Introduction 3
Glossary 13
References 13
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 3 | 14
Introduction
Cybersecurity is an important topic for IP cameras as they are increasingly used as IoT (Internet of Things) devices,
connected to cloud services or reachable via the Internet, requiring additional security measures.
One of the measures is using certificates to protect access and communication as well as manage authentication and
authorization.
The following document is intended to describe options for certificate management and integration of Bosch Video
Surveillance Cameras into Public Key Infrastructure.
The MicroCA functionality in the Configuration Manager program is an easy-to-use tiny certificate authority (CA) that
facilitates the management of small to medium systems.
For the full-featured description of the MicroCA, please refer to chapter 5.18 in the manual of Configuration Manager 7.0.
It allows to create a root CA certificate, stored either on a Smart Token, a USB stick, or in the file system.
Choose your preferred method based on the security level to be achieved.
After the CA certificate is created, it can be immediately used for signing other certificates.
When using a file-based CA certificate make sure to store it on a USB flash stick kept in a safe place.
We also recommend that you create a security copy to reduce the risk of losing your CA certificate.
Preferably, use a USB token or smart card. Check the release notes for a list of supported crypto hardware.
For signing, you will need your MicroCAcrypto token or USB drive, and you need to enter the MicroCA PIN to authorize its
use.
In order to secure device access by using certificates you need to change the devices authentication mode.
To sign device certificates, follow the detailed steps in the Configuration Manager manual
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 4 | 14
Other than manual certificate management, as with MicroCA in Configuration Manager, these methods allow deeper
integration into PKI environments with a certain degree of automation.
In this example we use alias names for the files according to the following naming convention:
FILENAME DESCRIPTION
yourcompanyca.crt CA certificate
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 5 | 14
This is generating an RSA private key, 2048 bit long modulus (2 primes) where e is 65537 (0x010001), and stores it in a
key file.
OpenSSL> req -x509 -new -nodes -key yourcompanyca.key -sha256 -days 1024 -out
yourcompanyca.crt
You will be asked to enter information that will be incorporated into your certificate request.
What you need to enter is what is called a Distinguished Name, or a DN.
There are quite a few fields, but you can leave some blank.
For some fields there will be a default value; in such case, if you enter '.' the field will be left blank.
Country Name (2 letter code) [AU]:de
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:Nbg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bosch
Organizational Unit Name (eg, section) []:XXX
Common Name (e.g. server FQDN or YOUR name) []:yourcompanyca
Email Address []:
As an optional step, you may want to encrypt the key of YourCompany CA.
In our example, password chosen is “password”.
OpenSSL> pkcs8 -topk8 -inform PEM -in yourcompanyca.key -v2 AES-256-CBC -outform PEM -out
yourcompanycakey.pem
Enter Encryption Password: password
Verifying - Enter Encryption Password: password
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 6 | 14
Now concatenate the contents of the files yourcompanycakey.pem and yourcompanyca.crt to another file named
yourcompanyca.pem.
This file will then be uploaded to the camera. Here curl is used as an example.
The response from the camera is like this, which is HTML code of the upload page.
The curl call will use this form, like shown below, fill it out in the background, and send it to the camera.
In the camera’s certificates webpage, you can see the uploaded certificate.
Since our key is encrypted, a key icon is shown and the key column shows a dash sign, which means the camera did not
yet decrypt the certificate key.
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 7 | 14
If you chose to work with an encrypted key, as done in step 3, now decrypt the certificate key by providing the password via
RCP+ command CONF_CERTIFICATE_REQUEST (0x0bec).
Alternatively, and in a manual approach, you can enter this password by clicking the key icon in the last column on the
webpage, though this would less likely allow for automation.
http://192.168.1.30/rcp.xml?command=0x0BEC&type=P_OCTET&direction=WRITE&num=1&payload=0x0009
000073676663610008000200000004000c000b70617373776f7264
Description of payload:
0009 => length of tag
0000
7367666361 ascii for ‘yourcompanyca’, in our case ‘sgfca’
0008 => length of tag
0002
00000004 => decrypt private key
000c => length of tag
000b
70617373776f7264 ascii for "password"
Now you can see that the camera has decrypted the certificate and certificate has a private key stored in the camera by the
green tick icon.
Now you need to assign the certificate to its usage with the RCP+ command CONF_CERTIFICATE_USAGE (0x0bf2).
For assigning ‘yourcompanyca’ certificate for HTTPS usage the command is:
http://192.168.1.30/rcp.xml?
command=0x0BF2&type=P_OCTET&direction=WRITE&num=1&payload=0x00080000000000000009000173676663
61
Description of payload:
0008 => length
0000
00 00 00 00 => HTTPS
0009 => length
0001
7367666361 => ascii for ‘yourcompanyca’, in our case ‘sgfca
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 8 | 14
For generating a certificate signing request, use the RCP+ command CONF_CERTIFICATE_REQUEST(0x0bec).
This generates a private key in the camera and a CSR which can be passed to a CA for signing a new certificate.
Since the generation of the CSR takes some time, the progress can be queried via
CONF_CERTIFICATE_REQUEST_PROGRESS (0x0bf0).
http://192.168.1.30/rcp.xml?
command=0x0BEC&type=P_OCTET&direction=WRITE&num=1&payload=0x000C0000746573747369676E00080001
000000010008000200000000001400050074006500730074007300690067006E000E00060042006F007300630068
000A0007006500740070000A0008006E0062006700080009006400650010000A00620061007900650072006E
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 9 | 14
The RCP command CONF_CERTIFICATE_REQUEST_PROGRESS (0x0bf0) can be used to check the progress of a CSR
generation.
http://192.168.1.30/rcp.xml?message=0x0bf0&collectms=1000
Example reply:
0x000c00000000000000000064000c0001746573747369676e
Description of payload:
000c => length
0000 => tag 0
00000000 => create pkcs#10 csr
00000064 => progress counter, 0x64 = 100% request completed successfully
000c => length
0001 => tag 1
746573747369676e => ‘testsign’
Once the CSR generation is completed, the CSR can be download from the link as shown below. Similarly, the label of
certificate/signing request can be changed to download others.
http://192.168.1.30/cert_download/testsign.pem?type=csr
The CSR can now be sent to the Registration Authority (RA). Once the RA provides the signed certificate, it can be
uploaded to the camera in the similar way. CSR will be deleted and replaced by the imported certificate when keys of
certificate and private key match.
Don’t forget to assign a usage to this certificate, like in step 6 in the manual procedure above.
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 10 | 14
In Windows domains, but not exclusively, certificates can be managed using services and protocols to achieve some level
of automation for certificate management and distribution.
Active Directory Certificate Services (AD CS), include - beyond others - a role service called Network Device Enrollment
Service (NDES), which implements the Simple Certificate Enrollment Protocol (SCEP).
SCEP defines the communication between network devices and a Registration Authority (RA) for certificate enrollment and
is defined in detail in https://tools.ietf.org/html/draft-nourse-scep-18.
SCEP is intended to significantly simplify the requesting and issuing of certificates in internal, trustworthy networks by
allowing the device to fetch the certificate itself. To ensure that this is not misused, an authorized person must first create a
"one-time password", which is then made available to the device.
The end device can then request a certificate from the SCEP service using this temporary password, which on Windows
typically expires after 60 minutes.
Each SCEP request is identified by a transmission identifier that is generated by the client and uniquely identifies the
request.
With the SCEP protocol, the client sends an HTTP request to the Certification Authority (CA), asking for its certificate and
the Registration Authority's certificate, if available. This certificate is used for all subsequent communication with the CA.
The SCEP message is signed and packaged in a PKCS#7 message including the certificate.
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 11 | 14
A SCEP request is triggered by using the same RCP+ command CONF_CERTIFICATE_REQUEST (0x0bec) we already
know from the former examples.
Let’s assume our service is provided on a host 192.168.1.131, providing the SCEP service via port 2016, then this needs to
be encoded into the command as CA server, its port tag, and the respective service path, in our case ‘scep’.
Let’s also assume a fictitious value 'secret' as one-time password to be coded into the command.
http://192.168.1.30/rcp.xml?command=0x0BEC&type=P_OCTET&direction=WRITE&num=1&payload=0x000C
0000546573745343455000080001000000010008000200000005001100033139322E3136382E312E313331300080
004000007E00008000d73636570000a000e736563726574
Then, this command will allow us to test SCEP at the URL ‘192.168.1.131:2016/scep’, with having the challenge password
‘secret’ and the name ‘TestSCEP’ of the certificate defined by the label string.
Description of payload:
000C => length for tag 0
0000 => tag 0: Label
5465737453434550 => string ‘TestSCEP’
0008 => length for tag 1
0001 => tag 1: Key Type (optional)
00000001 => RSA 2048 Bit
0008 => length for tag 2
0002 => tag 2: Type
00000005 => SCEP certificate enrollment
0011 => length for tag 3
0003 => tag 3: CA Server FQHN
3139322E3136382E312E3133313 => IP string "192.168.1.131"
0008 => length for tag 4
0004 => tag 4: CA Server Port
000007E0 => port 2016
0008 => length for tag 13
000d => tag 13: Service Path
73636570 => string "scep"
000a => length for tag 14
000e => tag 14: Challenge Password
736563726574 => password string ‘secret’
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 12 | 14
The process and progress can be checked on the camera’s web page.
Once the command is issued, the triggered signing request becomes visible in the certificates list.
When the SCEP server has responded and provided a signed certificate, the final certificate appears.
This certificate can then be assigned with a usage in the same way as described in previous chapters.
With these two commands integrated in command line or shell scripting and triggered by PKI management activities or
regular maintenance schedules, a (semi-)full automation for certificate management can be achieved, reducing
administration effort to a minimum.
The steps may be repeated in adapted form to install more and other certificates on the camera.
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 13 | 14
Glossary
CSR Certificate signing request. In public key infrastructure (PKI) systems, a certificate
signing request (also CSR or certification request) is a message sent from an
applicant to a certificate authority to apply for a digital identity certificate.
https://en.wikipedia.org/wiki/Certificate_signing_request
Firmware Software, that is persistently installed and provides all functionality of an embedded
device.
PKCS Public Key Cryptography Standards, a group of de facto standards devised and
published by RSA Security Inc.
https://en.wikipedia.org/wiki/PKCS
RCP Remote Control Protocol, a proprietary protocol used to configure and control Bosch
IP video devices.
References
1. SCEP specification
https://datatracker.ietf.org/doc/rfc8894/
2. Microsoft TechNet, Active Directory Certificate Services (AD CS): Network Device Enrollment Service (NDES)
https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-
device-enrollment-service-ndes.aspx?WT.mc_id=M365-MVP-6771
RCP command reference documents are included with every firmware package, linked to camera product catalog pages.
Data subject to change without notice | April 23 Security Systems / Video Systems
Certificate Management | Installing and maintaining certificates in IP Cameras 14 | 14
Data subject to change without notice | April 23 Security Systems / Video Systems