Encrypting Video Communication Flows

This section provides an overview of how to encrypt the communication flows between Desigo CC. and the Milestone / Siveillance VMS.

NOTE: In addition to configuring encryption as described here, to fully secure the video installation it is recommended to use Active Directory for the VideoApiService account user. For more information see Create VideoApiService Account in Windows.

 

You can encrypt the video streams sent from the VMS to the client stations. You can also encrypt the bidirectional communication between VMS management server and VMS recording server(s), when these are on separate computers.

VMS components on one computer

VMS components on separate computers

In this case there is only one computer on the VMS side, which hosts both the VMS management server and the VMS recording server.

In this case the VMS architecture includes a VMS recording server on a separate computer from the VMS management server.

 

Prepare Certificates

VMS components on one computer

VMS components on separate computers

Create the root certificate for encryption

Using SMC, create a root certificate to use for encryption:

  1. In the SMC tree, select Certificate.
  1. Click Create Certificate and select Create root certificate (.pfx).
  1. Enter a descriptive name for the .cer and .pfx certificate file names, for example VMS root.
  1. Provide a path where the created certificates should be saved.
  1. Also enter a descriptive name for the Subject name, for example VMS Encryption Root.
  1. Provide and confirm the password for the root certificate.
    Note this down, as you will need it in order to create the host certificates.
  1. Click Save .
  • The files [VMS root].cer and [VMS root].pfx are saved to the specified path.

Create SSL host certificate for VMS computer

Create host certificate issued to the VMS computer:

  1. Now in SMC click Create Certificate again and select Create host certificate (.pfx).
  1. In the Root certificate field, browse for and select the [VMS root].pfx certificate created above.
  1. Enter its password into the Root certificate password field.
  1. Enter a descriptive name for the .cer and .pfx certificate file names, for example VMS Host.
  1. Provide a path where the certificates should be saved. This can be the same location where you saved the root.
  1. In the Subject name enter the full name of the VMS computer.
  1. Provide and confirm the password for this host certificate.
    Note this down, as you will need it in order to import the .PFX host certificate into the VMS computer.
  1. Click Save .
  • The files [VMS host].cer and [VMS host].pfx are saved to the specified path.

Proceed as at left, but in this case create two host certificates: one issued to the VMS management server, and another issued to the VMS recording server.

NOTE: Make sure the Subject name of each created host certificate matches the full computer name for which you are creating it.

Install root certificate on VMS computer

Install the .CER root certificate on the VMS computer, in Local Machine > Trusted root:

  1. Copy the [VMS root].cer file to the VMS computer.
  1. Right-click on the certificate file and select Install Certificate.
  1. In the Certificate Import Wizard, select to install the certificate in the store of the Local Machine and click Next.
  1. Select Place all certificates in the following store.
  1. Click Browse... , select Trusted Root Certification Authorities, and click OK.
  1. Click Finish.

Proceed as at left, but in this case install the root certificate in both the VMS management server and the VMS recording server computers.

Install SSL host certificate on VMS computer

On the VMS computer, install the.PFX host certificate, in Local Machine > Personal:

  1. Copy the [VMS host].pfx certificate to the VMS computer.
  1. Right-click on the certificate file and select Install Pfx.
  1. In the Certificate Import Wizard, select to install the certificate in the store of the Local Machine and click Next.
  1. Confirm the certificate file name and enter its password at the prompt.
  1. Select to place the certificate in the Personal store.
  1. Click Finish.

Proceed as at left, but in this case:

  • On the VMS management server computer, install the host certificate created for that computer.
  • On the VMS recording server computer, install the host certificate created for that computer.

Verify that certificates are installed

In the Microsoft Management Console (MMC):, add the Certificates snap-in, setting it to manage certificates for the Computer account on the Local computer.

  • The VMS root certificate should be listed in center view of the Trusted Root Certification Authorities subtree.
  • The host certificate issued to the VMS computer should be listed in the center view of the Personal subtree

Configure Stream Encryption

VMS components on one computer

VMS components on separate computers

Grant read permission to recording server service user

On the VMS computer, the recording server service user must be granted read permission to the private key of the SSL certificate.

  1. Start Microsoft Management Console (MMC) and add the Certificates snap-in, setting it to manage certificates for the Computer account on the Local computer.
  1. In the tree select Personal > Certificates to display the certificates in the center pane.
  1. Right-click the previously installed host certificate [VMS host].pfx and select All Tasks > Manage Private Keys.
  1. Select the recording server user and select the Allow check box for Read.
  1. Click OK.

Proceed as at left, but in this case perform the steps on the separate VMS recording server computer, and select the host certificate that you installed on that machine.

Enable stream encryption

  1. On the VMS computer, start the Server Configurator tool.
  1. Select the Encryption page.
  1. Under Streaming media certificate, set Encryption to On.
  1. From the drop-down list, select the host certificate ([VMS host].pfx) of the VMS computer, prepared as instructed above.
  1. Select Apply.
  • Video streams are now encrypted, and will be visible only on computers where you install the root certificate that signed the selected host certificate.

Proceed as at left, but in this case perform the steps on the separate VMS recording server computer, and select the host certificate that you installed on that machine.

Install root certificate on all streaming clients

When video stream encryption is enabled, the root certificate must be installed on each of the Desigo CC client stations, and on all the Milestone/Siveillance clients that stream data from the VMS. Clients without the root certificate will not be able to show video streams.

  • For each computer, install the root certificate as follows:
    a. Copy the [VMS root].cer file to the computer.
    b. Right-click on the certificate file and select Install Certificate.
    c. In the Certificate Import Wizard, select to install the certificate in the store of the Local Machine and click Next.
    d. Select Place all certificates in the following store.
    e. Click Browse... , select Trusted Root Certification Authorities, and click OK.
    f. Click Finish.

Configure VMS Server Encryption

VMS components on one computer

VMS components on separate computers

Enable two-way VMS management server encryption

n.a.

This step encrypts the two-way communication between the VMS management server and the VMS recording server.

  1. On the VMS management server computer, start the Server Configurator tool.
  1. Select the Encryption page.
  1. Under Server Certificate, set Encryption to On.
  1. From the drop-down list, select the .PFX host certificate issued to the VMS management server, that you installed on that machine (see above).
  1. Click Apply.
  • Now that encryption is enabled on the VMS management server side, you must enable it on the VMS recording server as well.
  1. On the VMS recording server computer, open the Server Configurator and repeat steps 2 to 5 above, only this time selecting the .PFX host certificate issued that you installed on the recording server.
  • Now the two-way communication is encrypted.

Event Server Encryption

Starting from Milestone/Siveillance VMS version v22.1a 2022 R1, on the VMS Server Configurator tool there is also a toggle to select an Event server and add-ins certificate. If you have a separate Event server computer, you can also secure this communication channel on the VMS side. Refer to the VMS documentation for details.