Hikvision camera HTTPS

Jan 14, 2024
3
0
Riga
I have a set of small Hikvision cameras like DS-2CD2443G0-IW.
I wanted to transfer them from HTTP to HTTPS with my own certificates, own self-signed CA.
I have wasted like a day trying with no success. I have found some information on the internet, like:
  • Uploadable file should be in PEM format
  • File should contain all required certificates/keys separated with linefeed
  • File name should be simple, dots (more than one) or special symbols may break it

I have also updated the firmware to the latest I found - V5.6.6 build 210625

I tried signing CSR generated by camera, I tried importing private key+certs. I tried importing with trust chain, and simply self-signed server cert+key, I've tried replicating attributes of camera-generated cert. Still no luck, I continue getting "Certificate error. Recreate a certificate and try again". Interesting thing is that after firmware upgrade, Hikvision can read my certs, it shows the cert info on the screen, but still shows the mentioned Certificate error.

If someone managed to do this, please share cert file example (please don't publish your real private keys! :) ), or a list of Linux commands that produce a PEM file that gets accepted by Hikvision.
 
I ran into this same problem on this camera as well so decided to just use the Hikvision self signed generated certificate. :( Unlike the other more advanced and current generation hardware this camera had me scratching my head for a couple days! :facepalm:

What I should have done is checked a couple of other similar models to see if the behavior was the same. Instead I wasted days and weeks trying everything on one specific camera only to find out it was in some unknown state!

Once I realized what the problem(s) were it was easy to create the self signed certificate. :headbang:

For the benefit of others who may run into the same this is what you need to do.

Network Services: Both enable Websockets & Enhanced SDK service must be unchecked / disabled. On the initial camera there was no warning or error messages that these two services needed to be disabled! :banghead: Only after checking with another camera did I see the error and followed the prompt.

HTTPS: If you had HTTPS enabled prior you'll need to uncheck both selections. At this point you'll need to refresh the web page using HTTP. You should now see the delete certificate option that was previously greyed out. Delete the certificate and refresh the page and you should now see the options to create a self signed certificate as in the image capture here.

Select 2048 bit encryption and enter all of the relevant information and hit OK.

Depending upon the firmware and how the camera is setup the creation of the certificate can take mere seconds to several seconds like 15-25 seconds.

At this point if the self signed certificate is active and present the web page will auto reload with HTTPS vs HTTP but errors will be seen because its a self signed certificate. Regardless, its now a secure connection and you can ignore the nagging.

I've included the before and after web portal errors and how it looks different.

=========================
=========================

As an aside I received some next generation hardware and to my shock and dismay the certificate installed was long expired with a fucken ridiculous date!

I have appended that certificate here too because this hardware was produced just this year (2024)! So the guys at Hikvision need to fire the ass clowns who installed these expired certificates of 1969 ~ 1972! :angry:
 

Attachments

  • Network Services.PNG
    Network Services.PNG
    15.4 KB · Views: 9
  • HTTPS.PNG
    HTTPS.PNG
    22.4 KB · Views: 12
  • Certificate Creation.PNG
    Certificate Creation.PNG
    29.2 KB · Views: 9
  • Certificate Web Error.PNG
    Certificate Web Error.PNG
    28.2 KB · Views: 10
  • Edge Browser.PNG
    Edge Browser.PNG
    13.9 KB · Views: 7
  • Exployer.PNG
    Exployer.PNG
    12.7 KB · Views: 8
  • Default - OEM Certificate.PNG
    Default - OEM Certificate.PNG
    30.9 KB · Views: 10
  • Like
Reactions: crazyjurich
Thank you very much for your effort, I hope it helps someone.
Unfortunately it doesn't help me because my DVR won't accept self-signed certificates (I could hack in and put single CA there, but I definitely wouldn't like to add every camera cert to OS trust store), I use Synology Surveillance Station. So I will keep waiting :D
 
Thank you very much for your effort, I hope it helps someone.
Unfortunately it doesn't help me because my DVR won't accept self-signed certificates, I use Synology Surveillance Station. So I will keep waiting :D

Just to be clear have you created a self signed certificate on the camera? If so, what does the Synology station indicate when you try to save the video data there??
 
Just to be clear have you created a self signed certificate on the camera? If so, what does the Synology station indicate when you try to save the video data there??
I have tried self-signed cert created by camera, the result is Synology unable to connect to the cam, if I remember correctly, it didn't provide any error, and I assumed it is due to certificate being untrusted. I think I saw a confirmation for this theory in docs or somewhere on internet.