Generate TLS Certificates (OpenSSL)
Overview
This guide shows how to generate TLS certificates using the terminal and then load them into ITVDesk using the built-in UI.
ITVDesk expects:
- Certificate: PEM (commonly saved as
.caor.pem) - Private key: PEM (
.key)
The file extension does not matter to OpenSSL, but the ITVDesk UI filters for
*.ca / *.pem (certificate) and *.key (private key).
Option A: Quick Self-Signed Certificate (Single File Pair)
Use this for testing when your VMS/NVR accepts self-signed certificates.
Generate a key + self-signed certificate (RSA 2048, 825 days):
openssl req -x509 -newkey rsa:2048 -nodes \
-keyout itvdesk.key \
-out itvdesk.ca \
-days 825 \
-subj "/CN=ITVDesk"
Add a SAN (recommended):
cat > san.cnf <<'EOF'
[req]
distinguished_name = dn
x509_extensions = v3_req
prompt = no
[dn]
CN = ITVDesk
[v3_req]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = itvdesk
IP.1 = 192.168.1.10
EOF
openssl req -x509 -newkey rsa:2048 -nodes \
-keyout itvdesk.key \
-out itvdesk.ca \
-days 825 \
-config san.cnf
Replace 192.168.1.10 with the IP address your virtual camera binds to.
Option B: Local CA + Server Certificate (Better Compatibility)
Use this when your VMS/NVR prefers a trusted chain.
- Create a local CA:
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key \
-sha256 -days 3650 \
-out ca.pem \
-subj "/CN=ITVDesk Local CA"
- Create server key + CSR with SAN:
openssl genrsa -out itvdesk.key 2048
cat > server.cnf <<'EOF'
[req]
distinguished_name = dn
prompt = no
[dn]
CN = ITVDesk
EOF
openssl req -new -key itvdesk.key -out itvdesk.csr -config server.cnf
cat > server.ext <<'EOF'
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName=@alt_names
[alt_names]
DNS.1=itvdesk
IP.1=192.168.1.10
EOF
- Sign the CSR with your CA:
openssl x509 -req -in itvdesk.csr \
-CA ca.pem -CAkey ca.key -CAcreateserial \
-out itvdesk.ca \
-days 825 -sha256 \
-extfile server.ext
If your VMS/NVR needs a chain file, you can bundle:
cat itvdesk.ca ca.pem > itvdesk-fullchain.ca
Verify Your Certificate
Inspect certificate fields:
openssl x509 -in itvdesk.ca -noout -text
Verify chain (Option B):
openssl verify -CAfile ca.pem itvdesk.ca
Load Certificate Into ITVDesk (UI)
- Open the Front Application
- Go to
Security→Certificate Management - For Global TLS Certificate:
- Browse and select the certificate file (
itvdesk.caoritvdesk-fullchain.ca) - Browse and select the private key file (
itvdesk.key) - Click
Validate - Click
Save(copies tossl.ca/ssl.keynext to the ITVDesk executable)
- Browse and select the certificate file (
- For Per-Camera TLS Certificate:
- Select the target camera
- Choose
Use globalor select custom certificate/key - Click
Validate, thenApply
After changing certificates:
- Reconnect your VMS/NVR client stream (existing TLS sessions keep using the old certificate).
Notes
- Protect private keys (
.key). Do not share them. - Always include SAN (IP/DNS). Many clients ignore
CN. - If a VMS/NVR rejects self-signed certificates, use Option B and install
ca.pemas a trusted CA in that system.
How ITVDesk Uses These Files
- The certificate file is loaded as a certificate chain file.
If needed, use a
fullchainfile (server cert + intermediate/CA bundle). - The private key must be a PEM private key file (
.key). - ITVDesk UI
Validatechecks that the files can be parsed as:- X.509 PEM certificate
- PEM private key (RSA/ECDSA/DSA)
To avoid confusion: Validate does not guarantee the certificate and key match.
Use the terminal checks below.
Confirm Certificate + Key Match
This works for RSA and EC keys:
openssl x509 -in itvdesk.ca -noout -pubkey \
| openssl pkey -pubin -outform der \
| openssl sha256
openssl pkey -in itvdesk.key -pubout -outform der \
| openssl sha256
The SHA256 outputs must be identical.