SecuritySpy has built-in support for HTTPS (HTTP Secure), which allows you to set up an encrypted web connection to your SecuritySpy server over the internet.
In order to set up any HTTPS server, an SSL certificate is required (SSL being the protocol that provides the security features to HTTPS). With some web servers this can be a complicated process, but we have designed SecuritySpy’s HTTPS server to be a simple as possible to set up: you simply enable the HTTPS option in the Web Server Settings window and SecuritySpy will do the rest for you. SecuritySpy will automatically create and use a “self-signed” certificate for this purpose, which gets you up and running immediately and provides a fully encrypted connection. The downside of such a certificate though is that it won’t be automatically trusted by any client software that you use to connect to SecuritySpy (e.g. a web browser such as Safari), so you will get a warning message to this effect. In this case though, as you are the one setting up the server, you can be assured of its authenticity, so it is safe to ignore such warnings.
The other option is to purchase an official certificate for your SecuritySpy server from a recognised Certificate Authority (CA). Any web browser connecting to SecuritySpy will automatically trust such a certificate, so the person viewing the web interface will see the reassuring padlock icon and no warning messages. This may be preferable, for example, if your server is to be viewed by people outside your organisation. Below are instructions on how to do this.
Note: these instructions are for SecuritySpy versions 4.1.5 and later, with the location of the SecuritySpy folder being within the Home folder (i.e. at ~/SecuritySpy/). If you are using an earlier version, note that your SecuritySpy folder will be at ~/Documents/SecuritySpy/.
Step 1: Open Terminal and navigate to the SecuritySpy folder
You will find the Terminal application in your /Application/Utilities/ folder. Open it, type (or copy and paste) this command, and press return:
cd ~/SecuritySpy
Step 2: Create a private key
Copy and paste the following line into Terminal and press return:
openssl genrsa -out server.key 2048
This creates a 2048-bit private key file called server.key. This a very important file that you must keep safe, so make a backup of this file, and do not share it with anyone (someone in possession of this key would be able to decrypt your data). Furthermore, if you ever lose this file you would not be able to use the certificate you are about to purchase.
Step 3: Create a Certificate Signing Request (CSR)
Copy and paste the following line into Terminal and press return:
openssl req -new -key server.key -out server.csr
This creates a CSR file called server.csr, which is what you will need to provide to the certificate authority for them to create your certificate. You will be asked for several pieces of information, which you should enter accurately. The vital thing here is, when asked for the Common Name, you must enter the host name of your server that will be used to connect to it over the internet. For example, if you are using SecuritySpy’s Dynamic DNS feature to provide you with the hostname myserver.viewcam.me, this is what you should enter here. You may also be asked for a challenge password and optional company name – just leave these blank.
Note that if you are not using a viewcam.me hostname, you will need to make sure that you have access to an email account called “admin” at the hostname that you are using. So if you are using the domain myserver.example.com, you will need access to the email account admin@example.com in order for the certificate authority to confirm that you are allowed to use the hostname.
Here’s what the Terminal contents would look like with some typical answers to the questions:
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bensoftware
Organizational Unit Name (eg, section) []:SecuritySpy
Common Name (e.g. server FQDN or YOUR name) []:demo.viewcam.me
Email Address []:support@bensoftware.com
It’s no problem if you make a mistake; simply run the above command again and go through the same procedure. If you are not sure what your country code is, consult this list of country codes.
Step 4: Send the CSR to the Certificate Authority
There are many certificate authorities you could use – here I am using Namecheap, who offer a wide range of certificates at low prices. All you will need is a basic Domain Validation certificate (currently USD $9 per year). Once you purchase the certificate you will have the option to provide your CSR. Some certificate authorities require you to submit the server.csr file you created in the previous step; Namecheap require you to copy and paste the contents of this file into their order form, so open the server.csr file in TextEdit, copy the contents, and paste it into the form – it will look something like this:
If the form requires you to select a web server type, choose Apache or Other – this will result in a PEM-format certificate, which is the correct format for SecuritySpy.
At the next step you will be asked to choose an email address to which to send an approver email – select admin@viewcam.me. This email will come to us and we will approve it on your behalf. This step will look something like this:
Step 5: Installing the certificate
Once the order has been approved, the certificate authority will provide you with your certificate, along with some other files such as intermediate certificates. Copy these files to your SecuritySpy folder, then do the following:
- For any files with the file extension cer, der or pem, change the extension to crt
- Locate the actual server certificate file and rename it server.crt
- Quit and reopen SecuritySpy.
SecuritySpy will first look for the main server.crt certificate file to identify your server. Then it will look for a ca-bundle file containing intermediate certificates, and finally if no ca-bundle file is found, it will use all other crt files it finds in order to construct the certificate chain.
Now, when connecting to SecuritySpy with a web browser, you should see verified HTTPS web server connections:
Do you support wildcard ssl certificates?
I mean the type that support hosts *.mycompany.com
Yes, SecuritySpy will have no problem using such certificates.
I’ve installed the ssl file as directed but the site still comes up with “unsecure” Can you please offer assistance?
Place the private key, main certificate, and any intermediate certificates into the SecuritySpy folder within your Home folder, and then quit and relaunch SecuritySpy.
When supplying a private key, it must be as follows:
– The file name must be “server.key”
– The format must be PEM or binary DER
– The key must have no password requirement.
When supplying the main certificate, it must be as follows:
– The file name must be “server.crt”
– The format must be PEM or binary DER.
In addition, place any intermediate certificates you received in the ~/SecuritySpy/ folder (don’t rename these except for making sure the file extensions are .crt rather than .cer or .der).
Finally, make sure to connect to SecuritySpy using the address that matches the one specified the certificate (e.g. your viewcam.me address).
Now that letsencrypt is live and works quiote well, is there any chance that the letencrypt protocol will be included in securityspy?
We have looked at this in the past, and it is not easy to integrate Let’s Encrypt with SecuritySpy. For now the best solution is to use SecuritySpy’s self-generated SSL certificate, or the above method to purchase an official one.
Let’s Encrypt uses only http challenge to determine your ownership for the domain. So, you can enable the HTTP server on Mac OS X and get a certificate for your viewcam.me domain without touching any SecuritySpy settings. After getting the certificate, you can copy the certificate and key to SecuritySpy folder, close and relaunch SecuritySpy and it works beautifully.
Please use the following instructions only if you are comfortable using Terminal:
1. Enable webserver using the default configuration with the following command:
sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist
2. Install certbot and request a certificate using the following command:
sudo certbot certonly –webroot -w /Library/WebServer/Documents -d yoursite.viewcam.me
Certbot will install the certificates to “/etc/letsencrypt/archive/yoursite.viewcam.me” folder. You can copy “cert.pem” from there to “~/SecuritySpy/server.crt” and “privkey.pem” to “~/SecuritySpy/server.key” to enable your certificate.
Don’t forget, you’ll need to copy the key and certificate again, whenever they get renewed.
Very nice, thanks for posting this information!
I am running duckdns with letsencrypt already in my network. Will this conflict with the SecuritySpy SSL? I have SecuritySpy setup with port 8001 but it seems to direct to the wrong ip when I go to https://mysite.viewcam.me
Looks like I need to use a reverse proxy like nginx to make this happen.. Now I need to stumble my way through figuring that out.
Hi Jezza, you won’t need nginx or reverse proxy. If you enable SecuritySpy’s HTTPS web server, and enable the “Allow access from the Internet” options, SecuritySpy will make itself available to the Internet over port 8001. You then connect to SecuritySpy using an address such as https://mysite.viewcam.me:8001 – or you can use the duckdns name you have already set up rather than viewcam.me, as they will both point to your public IP address. Just make sure to specify port 8001 in the URL.