Install certificates for communication with the Mobile Server

To use an HTTPS protocol for establishing a secure connection between the mobile server and clients and services, you must apply a valid certificate on the server. The certificate confirms that the certificate holder is authorized to establish secure connections.

In XProtect VMS, encryption is enabled or disabled per Mobile Server. You enable or disable encryption either during installation of the XProtect VMS product or by using the Server Configurator. When you enable encryption on a Mobile Server, you then use encrypted communication with all clients, services, and integrations that retrieve data streams.

When you configure encryption for a server group, it must either be enabled with a certificate belonging to the same CA certificate or, if the encryption is disabled, then it must be disabled on all computers in the server group.

Certificates issued by CA (Certificate Authority) have a chain of certificates and on the root of that chain is the CA root certificate. When a device or browser sees this certificate, it compares its root certificate with pre-installed ones on the OS (Android, iOS, Windows, etc.). If the root certificate is listed in the pre-installed certificates list, then the OS ensures the user that the connection to the server is secure enough. These certificates are issued for a domain name and are not free of charge.

Add a CA certificate to the server

Add the CA certificate to the Mobile Server by doing the following.

Specific parameters depend on the CA. Refer to the documentation of your CA before proceeding.

  1. On the computer that hosts the Mobile Server, open the Microsoft Management Console.

  2. In the Microsoft Management Console, from the File menu select Add/Remove Snap-in….

  3. Select the Certificates snap-in and click Add.

    Click OK.

    Add the Certificates Snap-in object for the current user.

  4. Expand the Certificates object. Right-click on the Personal folder and select All Tasks > Advanced Operations > Create Custom Request....

    Right click Personal certificate store, choose All Tasks > Advanced Operations > Create Custom Request.

  5. Click Next in the Certificate Enrollment wizard and select Proceed without enrollment policy.

    Click Next.

    Click Next to proceed without enrollment policy

  6. Select the (No template) CNG Key template and the CMC request format, and click Next.

    Keep the default CNG key template and choose the CMC request format. Then click next.

    The request format depends on the CA. If the wrong format is chosen, the CA will issue an error when the certificate signing request (CSR) is submitted. Check with the CA to make sure you choose properly.

  7. Expand to view the Details of the custom request, and click Properties.

  8. On the General tab, fill in the Friendly name and Description fields with the domain name registered with the CA.

    The general tab of the certificate request properties menu.

  9. On the Subject tab, enter the parameters as required by the specific CA.

    For example, the subject name Type and Value are different for each CA. One example is the following required information:

    • Common Name:

    • Organization:

    • Organizational Unit:

    • City/Locality:

    • State/Province:

    • Country/Region:

  10. Some CAs don't require extensions. However, if required, go to the Extensions tab and expand the Key usage menu. Add the required options from the list of Available options to the Selected options list.

    Key usage options in the Extension tab of the Certificate properties menu.

  11. On the Private Key tab, expand the Key options menu.

    Set the key size to 2048 and select the option to make the private key exportable.

    The key size variable is determined by the CA, therefore a higher size key may be required. Other options, such as a specific Hash Algorithm (sha256), may also be required. Adjust all of the options required before proceeding to the next step.

    Certificate Properties window showing the Private Key tab and the selected properties.

  12. Unless the CA requires a signature, the next step is to click OK.

  13. When all of the certificate properties have been defined, click Next on the Certificate Enrollment wizard.

    Click next once all of the properties are defined.

  14. Select a location to save the certificate request and a format. Browse to that location and specify a name for the .req file. The default format is base 64, however some CAs require the binary format.

  15. Click Finish.

    Final step of certificate request wizard. Define the location and file format.

    16. A .req file is generated, which you must use to request a signed certificate.

Upload the .req file to receive a signed certificate in return

Every CA has a different process for uploading .req files in order to receive a signed certificate in return. Refer to the documentation of your CA for information on retrieving a signed certificate.

When working with the Mobile Server it is recommended to use a third-party CA. In most third-party CA situations, it is required to download a .ZIP file, and extract the contents to the computer that hosts the Mobile Server.

There are several file types that could be included in the extracted .ZIP file contents.

.CER or .CRT files can be installed using a similar process. Right-click the file and choose Install Certificate from the shortcut menu.

The following steps use a .CER file from an internal CA.

Your CA will need the contents of the .req file. You will be asked to copy the entire text of the .req file, including the begin and end lines, and paste the text into a field made available at a portal managed by the CA.

  1. Browse to the location of the .req file and open it in Notepad, and paste the text into a field made available at a portal managed by your CA.

    Copy the entire contents of the text file, including the begin and end statements.

  2. When you receive the certificate from your CA, browse to the downloads folder (or wherever you choose to store the folder on the computer), right-click the certificate and select Install Certificate.

    Right click the certificate in the downloads folder and choose Install Certificate from the shortcut menu.

  3. Accept the security warning if it appears.

    Select to install the certificate for the local machine and click Next.

    Choose to install the certificate on the Local Machine store.

  4. Choose a storage location, and browse to the Personal certificate store, and click Next.

    Choose a custom store - browse - choose the Personal folder.

  5. Finish the Install Certificate wizard.

Enable encryption on the Mobile Server

Once the certificate is installed on thecomputer that hosts the Mobile Server, do the following.

  1. On a computer with a Mobile Server installed, open the Server Configurator from:

    • The Windows Start menu

    or

    • The Mobile Server Manager by right-clicking the Mobile Server Manager icon on the computer task bar

  2. In the Server Configurator, under Mobile streaming media certificate, turn on Еncryption.

  3. Click Select certificate to open a list with unique subject names of certificates that have a private key and that are installed on the local computer in the Windows Certificate Store.

  4. Select a certificate to encrypt the communication of XProtect Mobile client and XProtect Web Client with the Mobile Server.

    5. Select Details to view Windows Certificate Store information about the selected certificate.

    The Mobile Server service user has been given access to the private key. It is required that this certificate be trusted on all clients.

    The encryption tab in the Server Configurator with enabled encyption and installed certificates.

  5. Click Apply.

When you apply certificates, the Mobile Server service restarts.

For more information, you may want to see:

Powershell Process Video.

Whitepaper on certificates with the Mobile Server.

Milestone XProtect Knowledgebase Document that outlines the following process using GoDaddy CA.