ssl

w3pi web-server allows administrators to utilize SSL certificates for preventing eavesdropping over the network. Implementing SSL requires usage of 2 small utility programs on Windows IOT Core, as the traditional desktop gui-driven tools for managing certificates are not available.

ImportPfx.zip  CPU: ARM  |  MD5 Hash: b2e33156927d4f21f0ec152639bd2c73  |  Size: 12.4 KB
imports the public/private key pair into the certificate store, so the HTTP API can have access to it for encryption

HttpSetCert  CPU: ARM  |  MD5 Hash: d82ef0604f5d48c2b5d222444ddb9700  |  Size: 12 KB
directs the HTTP API to use a specific certificate in the certificate store for a particular url

  1. Copy the .pfx file to the pi
  2. Open an ssh session to the pi and run ImportPfx
  3. Next run HttpSetCert
  4. Specify /s when running w3pi and you are now running a secure webserver.

To remove certificates that you have installed with these utilities:

  1. certmgr -del -c -n minwinpc -s -r LocalMachine My
  2. certmgr -del -c -n mydomain-CA -s -r LocalMachine Root

then navigate to c:\users\administrator\AppData\Roaming\Microsoft\Crypto on the pi and delete the private key

Troubleshooting

  • After setting up the certificate and starting w3pi.exe, I am unable to connect to the webserver remotely.
  • Try connecting via IP Address instead of hostname. If necessary, configure your DNS or hosts file. Also try inputting the FQDN instead of just a hostname.

Setup an Enterprise-CA

  1. Install a windows 2012 r2 server with active directory, dhcp, dns and a certificate authority.
  2. Open up certificate authority management console and right click the certificate authority and choose properties
  3. Click the Extensions tab
  4. Select the http entry and check the 2 checkboxes as shown below
_images/1.png
  1. select AIA from the drop down listbox and then select the http entry and check the box as shown below
_images/2.png
  1. Now you will need to duplicate the WebServer template. In the certificate authority management console, right click the certificate templates folder and choose Manage
_images/3.png
  1. Right click the WebServer template and choose duplicate
  2. For the compatibility , select Windows Server 2012 R2 for the authority and Windows 8 for the client
_images/4.png
  1. Check Allow private key to be exported under the request handling tab
_images/5.png
  1. Click OK and close the certificate templates console
  2. Now you will need to move the duplicated WebServer template you created into production. In the certificate authority management console, right click the certificate templates folder and choose New-> Certificate Template to Issue
_images/6.png
  1. Issue the template you created earlier
  2. Open an administrative command prompt and type mmc and press enter
  3. Go to File Menu -> and select Add/Remove Snap-In
_images/7.png
  1. Select certificates, choose Add
_images/8.png
  1. Choose computer, next
_images/9.png
  1. Click Finish and OK
  2. Right click the Certificates->Personal-> Certificates and select All Tasks->Advanced Operations-> Create Custom Request from the fly-out menus
_images/10.png
  1. Click Next, Next and then choose the template you created earlier

20.Click the down arrow and then click Properties

_images/11.png
  1. Enter your server’s FQDN for the common name and click add. Also add a dns name as shown below
_images/12.png
  1. click the Private Key tab and allow the private key to be exported
_images/13.png
  1. expand the Key permissions section and add localcomputereveryone access to the private key click ok and save it to the hard drive
_images/14.png
  1. open up the certification authority management console, right click the CA and choose submit new request
_images/15.png
  1. Point it to the ssl.req file you created in the step before the previous and click Open
  2. Afterwards, open the certificate that gets created in Windows Explorer by double clicking on it
_images/16.png
  1. Install it into the Local Machine
_images/17.png
  1. Click Next and then Finish
  2. A successful import will result in a certificate being placed in the Local System’s MY store. The certificate’s issued by must be different than the issued to.
_images/18.png
  1. Click Next then Choose Yes, export the private key
_images/19.png
  1. Choose Next
_images/20.png
  1. Enter a password twice and choose next
_images/21.png
  1. Save the file to the local hard disk. The private key is confidential, so after you have finished transporting it to the destination, delete the file and zero out your hard disk by using cipher /w
  2. You are now done with generating a certificate for w3pi.