In HikCentral you can enable  HTTPS in the system setting, however, once you enable HTTPS the website will pop up a “Not Secure” warning; that is because Hikcentral use its embedded CA certificate which is not been “signed”.


A Root CA Certificate should be issued by a trusted certificate authority (CA). Everyone can generate a signing key and sign a new certificate with that signature. However, that certificate is not considered valid unless it has been directly or indirectly signed by a trusted CA.


What is needed in Hikcentral?

Users need to upload the valid certificate on the Hikcentral Web Client and the file format must be “.pem”. The “.pem” file includes a public key and a private key. Usually, the user will apply for their own certificate from a third-party certificate authority. What they should provide us is their public key and private key.


To generate a Certificate Signing Request (CSR) with MMC:


1.    Run MMC.



 

2.    Click “File->Add/Remove Snap-in…” and select “Certificate->Add” with current user account, then click OK.

 



3.    Expand your certificate, and right-click “Personal” and select All Tasks > Advanced Operations > Create Custom Request.



4.    The CSR generation wizard will open > Click Next.



5.    Select the option to Proceed without enrollment policy > Click Next.


6.    Click Next at the PKCS # 10 window.

 


 


7.    From the Details drop down menu > Click Properties.



8.    Enter a Friendly Name of your choosing.

 



9.    Access the Subject tab > in the Subject name: Type: field add the following distinguish name values required for your CSR (CN, O, OU, S, L and C)


Example:

CN = www.xxxxxx.com (This is an example)

O = Your organization name

OU = Department or Division (This is optional)

S = State (State must be fully spelled out)

L = City or Locality

C = Country



 


10.    Click the Private Key tab > click the drop down for Key options > select Key size: 2048 and check the option to Make private key exportable > Click OK.

 



 11.  Click Next > Click Browse.


12.    Select a location to save the CSR file. Enter a name for the file and click Save.


13.    Click Finish.


 


The CSR file will be present at the location you saved it and can be used to request the SSL certificate as needed.


How to retrieve public and private key?

Customer need to send their CSR to certificate authority and then they will get a certificate (a .crt file) 

  from the trusted certificate authority, the content in the .crt file is public key (see example below). 

-----BEGIN CERTIFICATE-----

Xxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----






To generate the private key with MMC

1.    Win+R > mmc.exe > OK > File > Add/Remove Snap-in > Certificates > Add > Computer account > Next > Local computer > Finish > OK


 

 


Then navigate to Certificate Enrollment Requests > Certificates (if the certificate request was not completed) or Personal > Certificates (if the certificate request was already completed) folder, right-click on the certificate entry and click All Tasks > Export to open the export wizard.

 


You will get a .pfx file after the operation above, the .pfx file containing the key. To get the key in plain text, you can convert the .pfx into PEM encoded files using the website below:

https://decoder.link/converter/

How to get the “.pem” file

Make sure customer has installed their certificate, and then we can copy the content from both private key and public key and merge them together, then we can rename this new file as a “.pem” file. We should use a standard format, for example:

-----BEGIN CERTIFICATE-----

<<< here you copy/paste the information from the signed certificate – the crt file >>>

-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----                                                             

<<< here you copy/paste the information from the private key exported above >>>

-----END PRIVATE KEY-----


After generate the valid “.pem” file,  go to Hikcentral Web Client->System->Advanced->Transfer then you can use HTTPS without any secure warning.