HTTPS security certificate

[diitto]

Can anyone shed any light on the https security certificate status??? I am currently trying to evaluate a new IP2M-841 camera. If I try to connect via https using port 443, I get a message that the security certificate expired back in March, 2016, some 9 months ago. I saw a post someone wrote in late October, 2016, where Amcrest support claimed to have passed along the expired certificate issue to their R&D department. I myself have also asked Amcrest support to tell me status related to when this issue might get resolved. I got an email back saying they would "get back to me" but I've heard nothing since.

So again, can anyone shed light on what it means to have an expired security certificate that seems to have been that way for quite a long time??? Or am I perhaps doing something else wrong???

thanks

[meTC]

Hi.
I'm new here and may be wrong with regards to cameras but for hosting websites I know you can create your own SSL certificate and use it with your web server. It won't be 3rd party authenticated though if that matters to you but it'll save you a little money from buying one every year.

If you're interested I can probably find and post a link that explains how to do it on Ubuntu Linux.

[diitto]

But does someone know why it doesn't work as it appears Amcrest intends??? I enabled HTTPS in one of the setup screens, selected a port number, clicked SAVE and then separately port forwarded that port. That all seemed ok. But when I try to use it like one would do when you access any one of hundreds of other https sites we all use everyday, it fails by telling me the security certificate became invalid last March (2016). Isn't that an Amcrest issue??? Just like it would be an issue for a bank or credit card company or whatever who might have expired security certificates??? I'm not searching for some "work around". I want to understand how Amcrest intended it to work and have it work that way. I'm confused. Any input from anyone??? thanks..

[tonester]

diitto--it would appear that Amcrest is dragging its feet in regards to renewing the expired SSL cert (note--it would have to be included in some sort of firmware update since the renewed cert would need to be installed on the web server that's running in the camera), simple as that.

[namtaru]

Any update on this? At a very minimum we should be able to use our own SSL certificate.

[jjreynolds]

Like tonester said, Amcrest would have to update their camera firmware to include an updated SSL certificate expire date . We used to do this with OpenSSL with our inhouse products, not needing a trusted 3rd party.

[OverkillTASF]

At a very minimum we should be able to use our own SSL certificate.

Actually, this is one of the only ways this can possibly be secure. There are two ways they can implement HTTPS in any meaningful way:

1. The camera can generate and self-sign its own certificate. You will get a certificate error when connecting from new browsers/devices because it's not signed by a trusted third party, but it would otherwise be valid, so you could add it as a trusted cert to your devices.

2. The camera can let you load your own certificate, maybe even generating the proper CSR. In this way you could use an actual trusted certificate from LetsEncrypt or Verisign or whatever you wished.

If the certificate is distributed in the firmware, everyone has access to the associated private key, so the resulting encrypted sessions are of no real value.

[diitto]

Hmmm, Perhaps this is the wrong attitude but I decided to give Amcrest cameras a try based on a number of inputs from others , including that they offered the ability to encrypt connections to the camera. Just like I don't expect my bank or credit card company to tell ME to figure out my own way of connecting with them securely, nor was I thinking I was going to need to become an expert on how to actually make a successful encrypted connection to the Amcrest cameras!!! I'm not an expert. And I don't want to be. But maybe the message is I'm going to have to choose to become an expert if I choose to deploy truly secure (the networked camera itself ) home security (watch the house) cameras. Someone above said it appears "Amcrest is dragging its feet in regards to renewing the expired SSL cert". Assuming that's true, that to me sends a pretty bad message about how much confidence I should have in the notion that Amcrest is buidling cameras that one can believe are going to be safe and secure members of this Internet of Things (IoT's). For now, I have ceased my efforts to connect this camera and have set it aside while I am now off on a new search for some other company that might be more interested in selling security cameras that are also, THEMSELVES, SECURE. I really don't want to set up a security camera that I later find out as been turned into some bad guys bot. Just doesn't seem to make any sense. Any other input would be appreciated and thanks for the responses to date.

[jjreynolds]

I connect to my ip2m 841 via SSL with the tinyCam android app that doesn't need a certificate. The certificate would ensure I'm talking to my camera, but I know that by looking at the video. The connection is encrypted without the certificate using diffie-hellman encoding.

[savvy2]

i guess only ,me and 4? others want https:// to work SSL>>
certificate errors endless.
?
when i asked before the answer was, no support for cams, 2 years old.
time to dump these and buy cams that work.. from not here.
i do not have cams from china, nor ebay only here,. real USA bought .