Running Netcam Studio Server on SSL / HTTPS - Windows 10 and 11

If Netcam Studio is opened up to the public network we recommend to run it under https. It is not necessary if you only use http, but if in an external web server running https and http from NCS is mixed todays browser like Chrome, Edge, Firefox etc. will block the http traffic due to security reasons.

The text below describes the process to install a certificate in WIndows and in Netcam Studio to make it run under https. How the certificate is retrieved can vary a lot depending on Internet Service Provider, using DDNS etc. so therefore we will not cover that part.

The two most common verification processes for the certificate is:
-Domain Name Verification. There you must have access to the DNS administration of the domain name chosen. With this process the certificate can usually not be renewed automatically. However, it depends on ISP.
-http verification. This method require access to the web server for Netcam Studio which is found here C:\Program Files\Netcam Studio - 64-bit\WebServer. This method can usually be used for automatic renewal of the certificate.

Also, all incoming data traffic in http or https must be directed to port 8100.

IMPORTANT: When you do an update of Netcam Studio the content in folder C:\Program Files\Netcam Studio - 64-bit will be replaced by new content. As of today the configuration for https most be renewed and also the certificate must be copied back to that folder.

Part 1b below covers how to generate a self signed certificate. This is not of so much an interest today, but is still there for understanding how things work.

1a. Purchase an SSL Certificates
The first step is to obtain the certificates. If you want the certificates to be trusted and not displaying any warning to the user, they have to be issued by a trusted authority like www.Digicert.com
Let´s Encrypt is a nonprofit Certificate Authority that delivers free certificates used by many around the world. It´s valid for three months and then must be renewed.
The certificate must be of the type pfx to work in Windows.
I suggest that you search the net in this matter since there is a lof of valuable information how to do this.

1b. Generate your own SSL certificate.
Alternatively, for testing or internal use, it is possible to generate your own certificates. You will have to generate the following:

  • CA Certificate
  • SSL Certificate matching the CA

For Windows 10 and 11 using PowerShell
Run PowerShell ISE as an Administrator → PS C:\WINDOWS\system32>
cd cert:\Localmachine\my
Always stay in this library.

Generate a new self-signed certificate with a suitable dns name. Here I use ncs.local
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ncs.local

dir
The just generated certificate plus existing lists

Thumbprint                         Subject                                                                                                                        
----------                                -------   
D7CDE5998D993F850F1ADB60994EB3C292865CDF  CN=ncs.local 

Generate a password. Here I use test
$pwd = ConvertTo-SecureString -String “test” -Force –AsPlainText

Export the certificate to the pfx-format. The name Thumbprint in the command below should be exchanged with the long hexadecimal string shown above specific for your certificate name. The resulting file is called server.pfx and located in the root c:\

export-pfxcertificate -cert Thumbprint -filepath c:\server.pfx -chainoption buildchain -password $pwd

Use Windows Explorer and go to the file location c:\ and install the certificate by double-click on it.
Copy the certificate to C:\Program Files\Netcam Studio - 64-bit

1c. Install the self generated or the commercial certificate in Windows
Go to the location of the certificate. Install the certificate by double-click on it.
Copy the certificate to C:\Program Files\Netcam Studio - 64-bit

Open Manage Computer Certificates
In the folder Personal → Certificates you find the name of the certificate. In the example above it is ncs.local
Copy the certificate (ncs.local) to the folder Trusted Root Certification Authorities → Certificates

2. Configure Netcam Studio to Serve over SSL/HTTPS
Then, it is necessary to copy the SSL Certificate (default name server.pfx) into the folder where Netcam Studio is located (Program Files\Netcam Studio) and edit Netcam Studio (X and Service) configuration files:

  • NetcamStudioX.exe.config
  • NetcamStudio.Service.exe.config

Under the appSettings category, add new settings with the keys WebServerCertificate and WebServerCertificatePass as shown in the example below.

The certificate’s name and password must match the filename copied into the program’s folder and the password you have chosen during generation of certificates or received from the trusted authority.

<appSettings>
    <add key="EventLogsRetentionDays" value="2" />
    <add key="BypassSecurity" value="false" />
    <add key="WebServerPort" value="8100" />
    <add key="ServerTcpPort" value="8120" />
    <add key="ServerHttpPort" value="8124" />
    <add key="ServerHost" value="localhost" />
    <add key="WebServerCertificate" value="server.pfx" />
    <add key="WebServerCertificatePass" value="test" />
  </appSettings>

Important: When Netcam Studio runs as a service and https is enabled the service must login to an account with administration rights. This is a security issue determined by Windows.

3. Enabling SSL in Netcam Studio Client (Windows)
There is still only partial support for HTTPS on Client side, we will look forward to complete it soon.

In order that Netcam Studio Client accepts connecting over HTTPS, it is necessary to modify also its configuration file (NetcamStudio.Client.exe.config).

For this purpose, modify the endpoint corresponding to http:// to https:// under system.serviceModel, *client, as shown below:

<system.serviceModel>
    <client>
      <endpoint address="https://localhost:8124/Soap" binding="customBinding" bindingConfiguration="soapEndpoint" contract="Moonware.Server.WCF.Interface.IMoonwareServerWCF" name="soapEndpoint" />
    </client>
</system.serviceModel>

4. Enabling SSL in Web / SmartPhone Clients
When paragraphs 1 to 3 are done it is now possible to also use the web client and with https / SSL. When using the web browser connect to NCS using https. When adding login information also enable https / SSL. If you have made a self-generated certificate the server will answer with a red text Not secure.

image

This indicates that the certificate do not match the domain on which Netcam Studio is accessed. However, the connection is secured.

To not get the warning it is necessary to buy a certificate from a trusted authority as mentioned earlier. The very important part is that the certificate must match the domain on which Netcam Studio will be accessed.

https / SSL for mobile App: iOS and Android do not except a self signed certificate.

1 Like