DW Spectrum SSL Certificate Management
-----------------------------------
Affected Roles: Administrator, Owner
Related Digital Watchdog VMS Apps: DW Spectrum® IPVMS
Software Version: DW Spectrum v4.2 and newer
Complexity: Medium
Last Edit: August 29, 2023
-----------------------------------
Secure Socket Layer (SSL)
DW Spectrum Servers utilize a self-signed Secure Socket Layer (SSL) certificate by default. SSL certificates are small data files that digitally bind a cryptographic key to an organization’s details such the public key and the owner of a website or server. Typically, SSL is used to secure credit card transactions, data transfer, and logins. Although more recently, it has become the norm when securing browsing of social media sites.
These data packets are transmitted between the DW Spectrum Server and the requesting client with digitally signed acknowledgements to start an SSL encrypted session.
As a result, the data packets containing the requested information that are sent over the encrypted session can only be decoded by the designated receiving node(s). By combining this with the HTTPS protocol, this acts as a “protective lock” on the data during the transfer to better mitigate malicious agents (cybercriminals) that may be attempting to intercept or eavesdrop on sensitive information.
This article will outline self-signed and purchased SSL certificates, checking certificate validity, preparing a custom certificate (purchased), and how to apply a custom certificate.
SSL Certificate Authorities
DW Spectrum uses a self-signed SSL certificate, located in the certificate file directory, titled as “default.pem”. It will be generated and renewed automatically when the Server restarts.
However, while still a means to keep connections secure and encrypted, self-signed certificates are not always easily recognized by web browsers in comparison to using an SSL certificate that was purchased from a common certificate authority.
If you wish to purchase a certificate rather than utilize a self-signed SSL certificate, the most recognized SSL certificate providers can be found here:
https://www.techradar.com/news/best-ssl-certificate-provider
DW Spectrum Client Application Warning
If the an affiliated DW Spectrum Server is using version 4.2 or higher, the mobile application will attempt to verify that the target Server is using an SSL Certificate for security. However, a notification will display alerting an SSL certificate verification issue if the DW Spectrum Server is using the default Self-Signed SSL Certificate that is generated automatically.
While valid, this is due to the Server using a self-signed certificate as opposed to using a public certificate that has been purchased from a recognized certificate provider. Select “Connect Anyway” to confirm that you trust the current Server. This message will not display the next time that you connect with the Server as long as its SSL Certificate remains valid.
The following prompt may display:
Checking SSL Certificate Validity & Information
To check the validity of a Server’s SSL Certificate and its expiration date, connect to the Server’s Web Admin and click the “Not Secure” indicator in the address bar.
The certificate’s status will display. Review the details as needed.
A self-signed SSL Certificate that was generated automatically by the DW Spectrum Server is considered as a valid certification despite not being distributed by public certificate dealer. You can identify a self-signed certificate if the “Issued to” and “Issued by” details are “Digital Watchdog”.
Part 1: Preparing a Custom SSL Certificate
To improve DW Spectrum Server security, you can obtain a public/signed certificate from your preferred certificate provider and install it in the certificate directory as a file called “cert.pem”. A valid certificate should be issued by the Certificate Authority (CA) and contain the full certificate chain information. Otherwise, you will need to generate the Intermediate CA chain information yourself.
To prepare a custom certificate after receiving the certificate file from the CA:
- Open a text file using a text editor (Ex: Notepad) and save it as “cert.pem”.
- Open each certificate file that you have received from the CA in a text editor and extract the following content:
- Root CA (Ex: ca_bundle.crt)
- Server Certificate (Ex: certificate.crt)
- Intermediate CA (if not provided by your certificate provider, visit https://whatsmychaincert.com and enter the content from the Server Certificate file to generate the content for the Intermediate CA)
- Private Key (Ex: private.key)
- Add the content to the cert.pem file in the following format:
-----BEGIN PRIVATE KEY-----
... Private key content ...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
... Server certificate content ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... Intermediate CA content ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... Root CA content ...
-----END CERTIFICATE-----
- Save changes to cert.pem.
Part 2: Installing a Custom SSL Certificate
Once you have created the cert.pem file from the certificate files that were provided by your CA, perform the following to replace the self-signed certificate with the custom SSL Certificate.
- Stop the DW Spectrum Media Server.
- Windows OS
- Locate the Service Tray on the Windows Task Bar.
- Right-click on the DW Media Server icon and select Stop server (started).
-
- Ubuntu OS
- Open the Terminal program on the Linux computer. You can do this by using the Search function in the system Unity menu.
Alternatively, you can simultaneously press the Ctrl+Alt+T keys on the keyboard to launch the Terminal program.
The Terminal window will display.
- Log in as the root Administrator by using:
sudo su
- When prompted, enter the root admin password. Text will not display while typing the root admin password.
Dw5pectrum
**NOTE: For older DW Blackjack units purchased prior to June 18, 2021, the previously utilized default Linux OS login was “admin/admin”.
- Next stop the DW Media Server with:
service digitalwatchdog-mediaserver stop
- Locate the directory for the DW Spectrum Server SSL Certificate.
The SSL Certificate file can be found in the following directories:
- Systems Using Windows OS:
C:\Windows\System32\config\systemprofile\AppData\Local\Digital Watchdog\Digital Watchdog Media Server\ssl
- Systems Using Ubuntu OS:
/opt/digitalwatchdog/mediaserver/var/ssl
- After stopping the DW Media Server replace the old cert.pem file with new file that was created in Part 1: Creating a Custom SSL Certificate.
- When ready, start the DW Spectrum Media Server.
- Windows OS
- Locate the Service Tray on the Windows Task Bar.
- Right-click on the DW Media Server icon and select Start Server (stopped).
- Ubuntu OS
- Start the DW Media Server in the Terminal program with the command:
service digitalwatchdog-mediaserver start
This completes the application of the new cert.pem SSL certification file.
Expired Self-Signed SSL Certificates
If a DW Spectrum Server’s SSL Certificate (self-signed or public) has expired, the following prompt will appear:
Enable (check) the “Trust this server” checkbox and select “Connect Anyway” to continue with connecting to the Server. This prompt will continue to appear each time you attempt to connect with the Server until the certificate has been renewed.
Alternatively, you can disable the SSL Certificate verification setting in the DW Spectrum Mobile application, but this is not recommended as it will lower the security level of your connection.
Renewing (Recreating) an Expired Self-Signed SSL Certificate
A new self-signed cert.pem file can be generated and will be valid for up to one year after it has been re-created by the system.
To renew (re-create) another self-signed SSL certificate for DW Spectrum:
- Stop the DW Spectrum Media Server.
- Windows OS
- Locate the Service Tray on the Windows Task Bar.
- Right-click on the DW Media Server icon and select Stop server (started).
- Ubuntu OS
- Open the Terminal program on the Linux computer. You can do this by using the Search function in the system Unity menu.
Alternatively, you can simultaneously press the Ctrl+Alt+T keys on the keyboard to launch the Terminal program.
- The Terminal window will display.
Log in as the root Administrator by using:
sudo su
- When prompted, enter the root admin password (will not display).
Dw5pectrum
**NOTE: For older DW Blackjack units purchased prior to June 18, 2021, the previously utilized default Linux OS login was “admin/admin”.
- Next stop the DW Media Server with:
service digitalwatchdog-mediaserver stop
- Next, locate the old self-signed certificate file labeled “cert” (cert.pem file).
- Systems Using Windows OS:
C:\Windows\System32\config\systemprofile\AppData\Local\Digital Watchdog\Digital Watchdog Media Server\ssl
- Systems Using Ubuntu OS:
/opt/digitalwatchdog/mediaserver/var/ssl
Once located, right-click on the file and select “Delete” to remove the old self-signed certificate file.
- After deleting the old self-signed certificate, start the DW Spectrum Media Server. A new cert.pem file will be generated and will display in the same SSL folder where the old file was previously located.
This renewed certificate will be valid for up to one (1) year following this re-creation.
-
- Windows OS
- Locate the Service Tray on the Windows Task Bar.
- Right-click on the DW Media Server icon and select Start Server (stoppe.
- Ubuntu OS
- Start the DW Media Server using the Terminal program with the command:
service digitalwatchdog-mediaserver start