How to purchase and install an SSL certificate for SecuritySpy

SecuritySpy has built-in support for HTTPS (HTTP Secure), which allows you to set up an encrypted web connection to your SecuritySpy server over the internet.

In order to set up any HTTPS server, an SSL certificate is required (SSL being the protocol that provides the security features to HTTPS). With some web servers this can be a complicated process, but we have designed SecuritySpy’s HTTPS server to be a simple as possible to set up: you simply enable the HTTPS option in the Web Server Settings window and SecuritySpy will do the rest for you. SecuritySpy will automatically create and use a “self-signed” certificate for this purpose, which gets you up and running immediately and provides a fully encrypted connection. The downside of such a certificate though is that it won’t be automatically trusted by any client software that you use to connect to SecuritySpy (e.g. a web browser such as Safari), so you will get a warning message to this effect. In this case though, as you are the one setting up the server, you can be assured of its authenticity, so it is safe to ignore such warnings.

The other option is to purchase an official certificate for your SecuritySpy server from a recognised Certificate Authority (CA). Any web browser connecting to SecuritySpy will automatically trust such a certificate, so the person viewing the web interface will see the reassuring padlock icon and no warning messages. This may be preferable, for example, if your server is to be viewed by people outside your organisation. Below are instructions on how to do this.

Step 1: Open Terminal and navigate to the SecuritySpy folder

You will find the Terminal application in your /Application/Utilities/ folder. Open it, and type (or copy and paste) each of the following lines, pressing the return key after each line:

cd Documents
cd SecuritySpy

Step 2: Create a private key

Copy and paste the following line into Terminal and press return:

openssl genrsa -out server.key 2048

This creates a 2048-bit private key file called server.key. This a very important file that you must keep safe, so make a backup of this file, and do not share it with anyone (someone in possession of this key would be able to decrypt your data). Also, if you ever lose this file you would not be able to use the certificate you are about to purchase.

Step 3: Create a Certificate Signing Request (CSR)

Copy and paste the following line into Terminal and press return:

openssl req -new -key server.key -out server.csr

This creates a CSR file called server.csr, which is what you will need to provide to the certificate authority for them to create your certificate. You will be asked for several pieces of information, which you should enter accurately. The vital thing here is, when asked for the Common Name, you must enter the host name of your server that will be used to connect to it over the internet. For example, if you have used SecuritySpy’s Dynamic DNS feature to provide you with the hostname myserver.viewcam.me, this is what you should enter here. You may also be asked for a challenge password and optional company name – just leave these blank.

Note that if you are not using a viewcam.me hostname, you will need to make sure that you have access to an email account called “admin” at the hostname that you are using. So if you are using the domain myserver.example.com, you will need access to the email account admin@example.com in order for the certificate authority to confirm that you are allowed to use the hostname.

Here’s what the Terminal contents would look like with some typical answers to the questions:

Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bensoftware
Organizational Unit Name (eg, section) []:SecuritySpy
Common Name (e.g. server FQDN or YOUR name) []:demo.viewcam.me
Email Address []:support@bensoftware.com

It’s no problem if you make a mistake; simply run the above command again and go through the same procedure. If you are not sure what your country code is, consult this list of country codes.

Step 4: Send the CSR to the Certificate Authority

There are many certificate authorities you could use – here I am using Namecheap, who offer a wide range of certificates at low prices. All you will need is a basic Domain Validation certificate (currently USD $9 per year). Once you purchase the certificate you will have the option to provide your CSR. Some certificate authorities will require you to submit the server.csr file you created in the previous step; Namecheap require you to copy and paste the contents of this file into their order form, so open the server.csr file in TextEdit, copy the contents, and paste it into the form – it will look something like this:

At the next step you will be asked to choose an email address to which to send an approver email – select admin@viewcam.me. This email will come to us and we will approve it on your behalf. This step will look something like this:

Step 5: Installing the certificate

Once the order has been approved, the certificate authority will provide you with your new certificate, possibly along with a root certificate and one or more intermediate certificates. Copy ALL these certificate files to the SecuritySpy folder (within your Documents folder), and rename your server certificate server.crt. SecuritySpy will first look for this server.crt certificate file to identify your server, then it will use all other .crt files it finds in order to construct a certificate chain, which is required to properly verify the server to web browsers. Quit and reopen SecuritySpy, and you should now see verified HTTPS web server connections in your browser:

4 thoughts on “How to purchase and install an SSL certificate for SecuritySpy

    1. Ben Software Post author

      Place the private key, main certificate, and any intermediate certificates into the SecuritySpy folder within your Documents folder, and then quit and relaunch SecuritySpy.

      When supplying a private key, it must be as follows:

      – The file name must be “server.key”
      – The format must be PEM or binary DER
      – The key must have no password requirement.

      When supplying the main certificate, it must be as follows:

      – The file name must be “server.crt”
      – The format must be PEM or binary DER.

      In addition, place any intermediate certificates you received in the ~/Documents/SecuritySpy/ folder (don’t rename these).

      Finally, make sure to connect to SecuritySpy using the address that matches the one specified the certificate (e.g. your viewcam.me address).

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *