How to create HTTPS Cert for local IP Camera

I have 5 cameras on a separate camera VLAN that does not have access to the internet or other subnets.

I have 2 computers that need access to those 5 cameras from the user VLAN.

Obviously, I want to use HTTPS when connecting to these cameras so that usernames and passwords are not transmitted over plain text.

The problem is that when I turn on HTTPS and download the cert from the camera I am unable to install it on Windows.

I have the option to upload my own certificate, but I don’t know how to create and sign certificates for this purpose.

If anyone has guides or advice on how best to go about this, I would appreciate it.

The reason I need to remove the Cert error is because these cameras’ webpages only fully work in Edge running IE compatibly mode, and in this mode those cert errors mean an extra 5 minutes of time spent connecting to the cameras.

P.S. We are using a FortiGate at the office, so no pfSense with HA Proxy. The FortiGate does have a thing called “Virtual Servers” but like a lot of Fortinet stuff I can’t find a tutorial or documentation on how it works or what each setting does.

Running your own certificate authority (CA) actually makes a lot of sense for this purpose. There are tutorials out there, this is what I found with a quick search (have not completely read it): How to Create Your Own SSL Certificate Authority for Local HTTPS Development

In essence, you will need to create a root CA, optional but recommended intermediate CA and then your end certificates. This can be done using the openssl command line utility or graphical programs. For Windows, I can recommend XCA.

Since certificates can be validated along the signing chain, your clients only need to install the root CA certificate in the trust store in order to accept all certificates in the chain. Also you will want to keep the CA private keys secure, encrypted and with a passphrase at least, preferably in offline storage.

You could put the cameras on a separate VLAN (if they aren’t already) with a reverse proxy on the same VLAN such as Traefik, Nginx Proxy Manager or HAProxy to get a Lets Encrypt Certificate. You can use the DNS01 ACME challenge to get the cert without exposing anything to the internet.

Allow access from the main VLAN to the proxy only on your Fortigate and access all the cameras via the proxy.