We are currently using a wildcard SSL cert to secure our mobile servers. However, we would like to know if we can automate the installation of the certificate via the command line or SDK/API, as we can’t always use the management client to do this. Also, when the certificate needs to be renewed we will have many systems in the field that have to have this automated. Please advise.
Hi Josh,
our SDK does not support change of certificate. Actually changing the certificate in the Mobile Server makes Windows API calls. We are wrapping Crypt32.dll, AdvApi32.dll and kernel32.dll. So you can make your own script of tool that does that. Just keep in mind that when you reinstall (upgrade) the Mobile Server the certificate might not be kept and you have to tun your tool again.
Regards,
Tsvetomira
Thanks for the info, can you provide any further detail? How do we associate a cert in the certificate store to the mobile server? We need a little more info on how to make that link. Is it linked using an appid?
Hi Josh,
Mobile server uses http.sys windows driver in order to establish http/https connection.
In order to happen this two thing should be made in the OS configuration:
- Declare (reserve) particular port that will be used for particular type of communication by application running under particular account and security settings.
In order this to be made manually you could open cmd and work with “netsh http” commands.
For example
“netsh http show urlacl” will print all the system reservations.
On the OS with installed MoS you have to see something like this as response:
"
Reserved URL : http://+:8081/
User: NT AUTHORITY\\NETWORK SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;NS)
Reserved URL : https://+:8082/
User: NT AUTHORITY\\NETWORK SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;NS)
"
If you want to change those you can use:
“netsh http update urlacl”
“netsh http delete urlacl”
“netsh http add urlacl”
You have to be administrator in order those to be successful.
- Attach particular certificate to particular port in order to be supported https.
Again here are used derivatives of the “netsh http” command.
“netsh http show sslcert” will list all the available assigns.
You should see something like following on the MoS machine:
"
IP:port : 0.0.0.0:8082
Certificate Hash : dc932860fb9d52361e5ef4f477e94ee4c399777d
Application ID : {00000000-0000-0000-0000-000000000000}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Disabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Disable HTTP2 : Not Set
Disable QUIC : Not Set
Disable TLS1.3 : Not Set
Disable OCSP Stapling : Not Set
"
In order to change assigned certificate you can use:
“netsh http update sslcert”
“netsh http delete sslcert”
“netsh http add sslcert”
(have to be administrator)
The important things here are cert hash and store where this certificate is added.
You can see the certificates in the different stores using “mmc” (Microsoft Management Console) tool of the OS (“Add/Remove Snaps-in” → “Certificates” → “Computer account” → “Local computer”, and after that “Certificates”–>“Personal”–>“Certificates”).
To summarize:
If you want to change the certificate :
- Add new certificate to the store.
- Bind it to port (“netch http xxx sslcert”).
If you want to change the port:
- Add/change the reservation (“netsh http xxx urlacl”).
- Bind it to port (“netch http xxx sslcert”).
Petar,
that is exactly the info we needed. we will test and let you know.
thanks!