Skip to main content

Secure Device Communication via HTTPS on the Gateway

Overview

Arcules gateways can communicate with onboarded devices over HTTPS, encrypting traffic between the gateway and the device; passwords, device configuration, and video; so it can't be read by anyone monitoring the network. Plain HTTP sends the same information unencrypted.

Starting with this release, the gateway automatically tries to connect new devices over HTTPS when they support it. This happens in the background, no extra steps are required, and devices already on your gateway are unaffected.

Note: This applies only to devices you add from this release onward. Devices that were already onboarded continue to work exactly as before and are not affected.

Note: Some older cameras may not support video streaming over HTTPS. For these devices, video may be transmitted unencrypted, but all other communication with the gateway is still encrypted.

How Certificates Are Created and Used

A certificate is a small file that proves a device's identity and sets up encrypted communication. The gateway relies on it to confirm it's talking to the same device on every connection.

When you add a device over HTTPS, the gateway sets up the certificate as follows:

  • Creates a certificate for the device and signs it with an Arcules signature.

  • Installs that certificate on the device.

  • Keeps a copy so it can recognize the device on future connections.

  • The device's private key, the secret part of the certificate, is generated on the device and never leaves it.

From that point on, the gateway expects the device to present the same certificate on every connection, a comparison called an integrity check that confirms the device's identity hasn't changed.

You can review a device's certificate at any time in the web portal:

1. Open the device drawer and select the TLS/SSL Certificate value, or go to Settings > Certificate Settings for the device.

Alternatively, you can go to Device Drawer -> Settings -> Certificate Settings

2. From there you can see the certificate's status and download it (in .cer format) to inspect its full details, such as the issuer and expiration date, using your own tools.

A few terms used in this article: Certificate management is a device's ability to let the gateway create and install a certificate on it (not all cameras support this). mDNS and WS-Discovery are auto-discovery features in a camera's settings that let it announce itself on the local network so the gateway can find it, which matters when the camera uses a non-standard port.

What Happens When You Add a Device

  • Adding a device: The gateway checks whether it's reachable securely over HTTPS.

    • If yes → creates and installs an Arcules certificate, connects securely.

    • If no → connects over HTTP instead. Either way, the device is added.

  • Certificate install fails (gateway connects securely but can't install its own certificate), happens when:

    • The camera doesn't support certificate management, or

    • The camera was briefly unresponsive during setup.

    • In this case, the gateway falls back to the certificate already on the device and stores a copy of that one instead.

  • Result: The connection is still encrypted, but since Arcules didn't create the certificate, it can't vouch for its origin.

    • Portal shows this as HTTPS (Device) rather than HTTPS (Arcules).

    • You can review and accept the certificate at any time (see Certificate Field Values).

Note: The gateway always tries HTTPS first. It only falls back to HTTP when a secure connection is not possible.

Certificate Field Values

Once secure communication is available, the device drawer shows a Certificate field indicating how the gateway is connected and whether action is needed:

  • HTTP: Unencrypted connection; no action required. To switch to HTTPS, confirm the device's HTTPS port is enabled, then use Replace Device, the gateway detects HTTPS support automatically, so you don't need to delete and re-add it.

  • HTTPS (Arcules): Encrypted, using a certificate the gateway trusts, either Arcules-created or one you've reviewed and accepted. This is the expected state; no action required.

  • HTTPS (Device): Encrypted, but using a certificate Arcules didn't create or hasn't yet accepted, for example, if the device went offline right after being added, before the gateway finished creating or confirming its certificate. Open Certificate Settings, review it, and Accept if you trust it; the state then changes to HTTPS (Arcules).

Expectations

Keep the following in mind when adding devices over HTTPS:

  • The device must have its HTTPS port enabled (typically port 443).

  • Non-standard HTTPS port? Enable auto-discovery (mDNS, WS-Discovery, or UPnP) or enter the port manually. UPnP often doesn't advertise a device's HTTPS port, verify in Certificate Settings that discovery actually added it as HTTPS.

  • If the device supports certificate management, the gateway installs its own certificate; otherwise it uses the device's existing one. Either way, the connection is secure.

  • The gateway expects the same certificate on every connection. If it changes, the gateway blocks the connection and reports the device offline until you accept the new certificate (see Reviewing and Accepting a Certificate).

  • Unreachable or mid-setup devices are still added without a stored certificate, though this is uncommon, since the gateway waits several minutes before falling back. Accept the certificate in Certificate Settings once the device is back online.

If You Do Not Want to Onboard a Device Over HTTPS

If you prefer not to add a device over HTTPS, do one of the following:

  • Enter the HTTP port or address when adding the device, for example, 192.168.20.1:80 or http://192.168.20.1.

  • Disable the HTTPS port in the camera's web interface.

Onboarding Time and Device Responsiveness

Creating a certificate takes 30–60 seconds on most devices, longer on older ones (the device also restarts its secure web server). Expect HTTPS onboarding to take longer than HTTP, and avoid changing device settings while it's unresponsive during this process.

Note: A certificate is created only once, when you first add the device. Later connections simply reuse it, so they are not slowed down.

Pre-Onboarding Steps

Before adding a device over HTTPS, complete the following:

  1. Enable the HTTPS port on the camera, usually under its network or security settings. Check your camera manufacturer's documentation if you're unsure.

  2. Confirm it's reachable: open https://192.168.20.1/ in a browser. If it loads, HTTPS is working.

  3. Non-standard port? Enable auto-discovery or enter it manually, for example 192.168.20.1:4443. UPnP often doesn't advertise custom ports, so manual entry is more reliable if that's your only discovery method.

Reviewing and Accepting a Certificate

You'll need to review and accept a certificate when a device's certificate changes after being added, or when the gateway is using a device-provided certificate you haven't accepted yet. In the first case, the gateway blocks the connection and reports the device offline until you review the new certificate.

To review and accept the certificate:

1. Open the device drawer, or select Settings for the device.

2. Select Certificate Settings. You can also open this dialog by selecting the TLS/SSL Certificate value in the device drawer.

3. Review the certificate details. You can download the certificate (in .cer format) to inspect it with your own tools before deciding.

4. If you recognize and trust the certificate, select Accept. The gateway stores the certificate, uses it for future integrity checks, and restores the device connection.

Note: If a device shows an “Error with device certificate” message and appears offline, open Certificate Settings for that device to review and accept the current certificate.

Using Your Own Certificate

You can use your own certificate, self-signed or from your own CA, instead of Arcules'. This is currently a manual process. Most cameras only keep one certificate active at a time (some only show the latest one, even if more exist internally), so order matters:

If the camera supports Certificate Management (the gateway can create and install certificates on it):

1. Add the device to the gateway. This lets the gateway attempt to create its own certificate first.

2. Install your certificate on the camera directly, using the camera's own web interface.

3. In the portal, open Certificate Settings for the device.

4. Review the certificate and select Accept.

If the camera already has your certificate installed and supports multiple certificates:

5. Add the device to the gateway.

6. In the camera's own certificate settings, select the certificate you want it to use.

7. In the portal, open Certificate Settings for the device, and select Accept.

Exception: If the camera doesn't support Certificate Management, the gateway won't touch it, so the original order is fine: install your certificate first, then add the device.

Frequently Asked Questions

Are existing devices affected by this change?

No. Secure onboarding applies only to devices you add from this release onward. Devices that were already added continue to operate as before.

What is the certificate validity period?

By default, the gateway requests a 10-year certificate, though the device may set its own expiration. View the expiration date in the portal or the device's web interface.

Does the certificate renew automatically when it expires?

Not at this time. Automatic certificate renewal and advance expiration notifications are not currently available and may be considered in a future release.

Note: An expired certificate does not, by itself, take a device offline.

Will I need to re-register my cameras when a certificate expires?

No. You should never need to re-add existing cameras to the gateway. Future releases are expected to provide a way to create a new certificate on the device directly from the portal.

Why don't I see the Certificate Settings option?

Certificate Settings only appears when secure communication is available for your organization and the device has a certificate to review. Devices on plain HTTP won't show this option.

Why is a device showing as offline with a certificate error?

This happens when the certificate on the device no longer matches the gateway's stored copy. Since it can't confirm the device's identity, the gateway blocks the connection and reports it offline, review and accept the new certificate in Certificate Settings to restore it.

My device only shows an HTTP port when the gateway searches for it. Can it still be added over HTTPS?

Some cameras only advertise one port, often just HTTP even when HTTPS is enabled. If your camera uses a non-standard HTTPS port and only its HTTP port is detected, enter the HTTPS port manually when adding the device.

Did this answer your question?