Browser security warning when accessing a MOBOTIX camera
If a message appears in your browser when accessing a MOBOTIX camera indicating an ‘insecure connection’, this article explains the background and possible solutions.
Basic information about SSL certificates can be found here:
https://community.mobotix.com/t/ssl-certificates-explained-simply-why-they-are-important-for-cameras/10270
Error message
When using a MOBOTIX camera with the default factory certificate (self-signed certificate), the browser usually displays a security warning.
The reason: The certificate was not signed by a publicly recognised certification authority (CA).
The exact wording depends on the browser in question.
Google Chrome / Microsoft Edge (Chromium-based)
‘Your connection is not private’
Frequent error code:
NET::ERR_CERT_AUTHORITY_INVALID
Meaning:
The certificate was issued by an authority that is not considered trustworthy.
Mozilla Firefox
„Warning: Potential Security Risk Ahead“
Note:
The issuer of the certificate is not considered trustworthy.
Safari
This connection is not private.
Why is this message appearing?
The default factory certificate for MOBOTIX cameras is:
- Self-signed
- Not signed by a public CA
- Not recognised by browsers by default
The browser is therefore unable to establish a complete chain of trust back to a known root CA.
Important clarification
This message does not mean that the camera is unsafe!
It merely indicates that the browser does not automatically trust the issuing certification authority.
In internal networks, this behaviour is technically normal, provided that:
- the connection is established deliberately
- it is ensured that the correct camera is actually being accessed
How can the warning message be avoided?
Option 1: Individual cameras (small installations)
If there are only a few cameras, the device-specific certificate for each camera can be stored manually in the browser.
However, this solution is not practical for larger installations.
Option 2: Centralised solution via the MOBOTIX Management Centre (recommended)
If you have multiple cameras, we recommend using MxMC to create your own self-signed root certificate.
MxMC can:
- Generate its own root certificate
- Define this as an internal trust authority
- Create a derived, signed device certificate for each camera
- Automatically distribute these certificates to the cameras
Details hierzu finden sie in dem folgenden Community Artikel:
Easy SSL Certification generation and upload for multiple Cameras
Alternatively, a company-owned root certificate can be uploaded to the MxMC. The MxMC uses this to create device-specific certificates for each MOBOTIX IoT camera. The chain of trust remains completely consistent.
Result: Clean internal certificate structure
Root certificate (created or imported in MxMC)
→ signs camera certificates
→ cameras present signed certificates to clients
The decisive advantage:
The root certificate only needs to be installed once on the client systems (PCs, servers, VMS servers) as trustworthy.
After that, all cameras whose certificates have been signed by this root certificate will be automatically accepted.
Practical advantages
- No manual certificate confirmation per camera
- Uniform internal chain of trust
- Scalable solution for larger installations
- Full HTTPS encryption is retained
Functionally, this corresponds to a company-owned Certificate Authority (CA), specifically for the camera infrastructure.
Store root certificate in operating system or browser
Prerequisite:
A self-signed root certificate has been created and exported in MxMC.
This root certificate must be imported as trusted on the client systems.
Windows (Google Chrome and Microsoft Edge)
Chrome and Edge use Windows certificate management.
Procedure:
- Open Control Panel
- ‘Network and Internet’ → ‘Internet Options’
- ‘Content’ tab → “Certificates”
- ‘Trusted Root Certification Authorities’ tab
- Select ‘Import’
- Select the exported root certificate file (e.g. mxmc-root.cer)
- Complete the import and confirm the security warning
After successful import, Chrome and Edge trust all signed MOBOTIX camera certificates.
macOS (Google Chrome and Safari)
Chrome and Safari use macOS Keychain Access.
Procedure:
- Open ‘Keychain Access’
- Select the appropriate keychain (System or System Roots)
- Import the root certificate
- Open the certificate → ‘Trust’ section
- Enable the ‘Always Trust’ option
- Confirm changes with your administrator password
Linux
The root certificate must be imported into the system-wide certificate management system.
The procedure varies depending on the distribution. If the browser uses its own certificate store, the certificate must also be imported there.
Mozilla Firefox (all operating systems)
Firefox uses its own certificate store.
Procedure:
- Open Settings
- Select ‘Privacy & Security’
- Select ‘Security’ → ‘View Certificates’
- Select the ‘Certificate Authorities’ tab
- Select ‘Import’
- Select the root certificate
- Enable the option ‘Trust this CA to identify websites’
Important security note
The root certificate created in MxMC is the central trust authority for your camera infrastructure.
The associated private key must be stored securely and protected against unauthorised access.
Once the root certificate has been installed on the clients, manual confirmation of individual camera certificates is no longer necessary. The entire chain of trust is then based on your own internal certification authority.
MOBOTIX AG factory certificate
Every MOBOTIX camera is equipped with a device-specific SSL certificate before leaving the factory.
This certificate is derived from MOBOTIX’s own self-signed root certificate. The associated root certificate and private key are stored securely at MOBOTIX and are protected against unauthorised access.
Example browser view of a camera factory certificate that has expired (indicated by the ‘Expires On’ field):
The same certificate details can also be viewed in the camera menu under ‘Admin → Web server’.
Validity period of factory certificates
- Current MOBOTIX ONE cameras: 25 years
- Earlier models (e.g. MOBOTIX T24): 15 years
The certificate must be replaced after this period has expired.
Managing SSL Certificates in the Camera
Using the camera’s web interface (Admin area → Web server), the user can:
- Upload their own SSL certificate
- Create a new self-signed certificate with an individual validity period
For installations with multiple cameras, central management via the SSL certificate manager in the MOBOTIX Management Centre (MxMC) is recommended.
This function allows new certificates to be created efficiently and distributed to multiple cameras simultaneously.
Interaction between SSL certificate and camera IP address
The factory IP address of the camera is stored in the factory certificate as part of the certificate data.
If the camera is operated via DHCP in a different subnet (e.g. 192.168.1.x instead of 10.x.x.x), the browser may display a warning message.
The reason:
The IP address currently in use does not match the address stored in the certificate.
In this case, a new certificate should be created and assigned to the camera – for example, via MxMC. The currently configured IP address is automatically taken into account.
Important note regarding IP address changes
When making future changes to the network structure, please ensure that:
- Cameras retain the same IP address where possible
- Or a new certificate is created when IP addresses are changed
Typical scenarios for IP changes:
- Change of DSL router or internet provider
- Change or reconfiguration of the DHCP server
- Network conversion or subnet change
If the IP address is changed without adjusting the certificate, this can lead to browser warning messages again.