HTTPS

General

To enable HTTPS the “Https enable” setting must be set to “Yes”. When HTTPS is enabled all functionalities that the ONVIF driver supports will work on HTTPS:

  • Video*

  • Audio IN*

  • Metadata*

  • PTZ

  • Video Edge Storage*

  • Audio Edge Storage*

  • Metadata Edge Storage*

  • Pull Point Events

  • Aux commands

  • Digital Inputs

  • Relay Outputs

The HTTPS port will be read from the device when possible. If the device does not respond to GetNetworkProtocols or does not return a HTTPS port, the default value of 443 will be used. When changing the HTTPS port in the Management Client the driver will try to also set the port on the device. Some devices deny changing the port through the SetNetworkProtocols command. In this case no error is displayed, and the only signs of that failure are that the HTTPS stops working and failure of the SetNetworkProtocols command in Wireshark. In these situations, the user must ensure that the port set in the Management Client and the one used by the device are equal. This is done usually by changing the HTTPS port on the device’s web page.

HTTPS must be enabled on the device as well (usually through the device’s Web Page).

If the option “HTTPS Validate Certificate” is enabled the ONVIF driver will check the validity of the certificate of the device when HTTPS connection is being established. If the certificate cannot be verified (is expired or the certificate chain does not lead a trusted root) the connection will be dropped, and no communication will be done with the device. For information on how to work with certificates see HTTPS Certificates.

If the option “HTTPS Validate Hostname” is enabled the ONVIF driver will check if the hostname it’s connecting to matches the ones the certificate is issued to.

For Video, Audio IN, Metadata, Video Edge Storage, Audio Edge Storage and Metadata Edge Storage to be over HTTPS their streaming method must be changed to RTP/RTSP/HTTP/TCP.

Audio OUT does not support HTTPS. The ONVIF specification and the document from Apple for RTSP over HTTP does not specify how the Audio Backchannel should be sent and as such there is no standard way of sending audio backchannel data to the device over HTTP or HTTPS.

ONVIF commands over HTTPS

When HTTPS is enabled all ONVIF SOAP requests will be transferred over HTTPS. These include all commands for setting and retrieving settings, PTZ, Pull Point Events, Aux commands, Digital Inputs and Relay Outputs.

Media over HTTPS

The ONVIF driver uses RTSP over HTTP in order to receive securely media data from the device. For RTSP over HTTPS to work, the “Https enable” setting must be set to “Yes” and the streaming method must be set to either RTP/RTSP/HTTP/TCP or HTTP snapshot. If streaming mode is set to a value other than RTP/RTSP/HTTP/TCP or HTTP snapshot, streaming will work but without encryption. All ONVIF requests to the device will be on HTTPS, but the video, audio or metadata will be on RTSP.

HTTPS Certificates

The ONVIF driver supports self-signed and authority-signed certificates. If an authority-signed certificate is used on the device and this certificate is not signed by a root CA, the device’s certificate root must be installed on the recording server for the ONVIF driver to be able to validate the certificate chain.

Here is how to install a certificate in the Windows Certificate Store

Copy the certificate to the Recording Server machine. Right Click on the Certificate and choose “Install Certificate”

Graphical user interface, application Description automatically generated

On the “Certificate Import Wizard” choose to install the certificate in the store of the “Local Machine”. Installation in this store is needed as the Recording Server runs under the user “NETWORK SERVICE” and can only access its user’s Certificate Store or the store of the Local Machine.

Graphical user interface, text, application, email Description automatically generated

Choose to manually select the store in which the certificate will be installed.

Graphical user interface, text, application, email Description automatically generated

Click “Browse” button and select the “Trusted Root Certification Authorities”

Graphical user interface, text, application Description automatically generated

Click Finish on the “Completing the Certificate Wizard” dialog.
Graphical user interface, text, application, email Description automatically generated

You will receive a confirmation dialog of successful import.

Graphical user interface, text, application Description automatically generated

To verify that the certificate is imported start the Microsoft Management Console.
Graphical user interface Description automatically generated

In the Microsoft Management Console from the File menu select “Add/Remove Snap-in…”

Graphical user interface, application Description automatically generated

Select the “Certificates” snap-in and click the “Add” button.
Graphical user interface, application Description automatically generated

Select the snap-in to manage the certificate for the “Computer account”.
Graphical user interface, text, application, Word Description automatically generated

Select “Local computer” on the next step.
Graphical user interface, text, application, email Description automatically generated

Click OK after the snap-in has been added.
Graphical user interface, text Description automatically generated

Verify that the certificate is listed in the center view of the “Trusted Root Certification Authorities” subtree.

Graphical user interface, text, application Description automatically generated