ssl

w3pi web-server allows administrators to utilize SSL certificates for preventing eavesdropping over the network. Implementing SSL requires usage of 2 small utility programs on Windows IOT Core, as the traditional desktop gui-driven tools for managing certificates are not available.

ImportPFX.zip | ARM cpu | Size: 17 KB
ImportPFX.zip | x86 cpu | Size: 18 KB
- imports the public/private key pair into the certificate store, so the HTTP API can have access to it for encryption

HttpSetCert.zip | ARM cpu | Size: 15 KB
HttpSetCert.zip | x86 cpu | Size: 16 KB
- directs the HTTP API to use a specific certificate in the certificate store for a particular url namespace

Software Publisher certificate: w3pi-spc2.cer 

  1. Copy the .pfx file to the device
  2. Open an ssh session to the device and run ImportPfx
  3. Next run HttpSetCert
  4. Specify /s when running w3pi and you are now running a secure webserver

To remove certificates that you have installed with these utilities:

certmgr -del -c -n minwinpc -s -r LocalMachine My
certmgr -del -c -n mydomain-CA -s -r LocalMachine Root

then navigate to c:\users\administrator\AppData\Roaming\Microsoft\Crypto and delete the private key there

Troubleshooting

After setting up the certificate and starting w3pi.exe, you may be unable to connect to the webserver remotely. To fix, try connecting via IP Address instead of hostname. If necessary, configure your DNS or hosts file. Also try inputting the FQDN instead of just a hostname.

Setup an Enterprise-CA

This section details an example of setting up an Enterprise Certificate Authority for issuing certificates.

  1. Install a windows 2012 r2 server with active directory, dhcp, dns and a certificate authority.
  2. Open up certificate authority management console and right click the certificate authority and choose properties
  3. Click the Extensions tab
  4. Select the http entry and check the 2 checkboxes as shown below
_images/1.png
  1. select AIA from the drop down listbox and then select the http entry and check the box as shown below
_images/2.png
  1. Now you will need to duplicate the WebServer template. In the certificate authority management console, right click the certificate templates folder and choose Manage
_images/3.png
  1. Right click the WebServer template and choose duplicate
  2. For the compatibility , select Windows Server 2012 R2 for the authority and Windows 8 for the client
_images/4.png
  1. Check Allow private key to be exported under the request handling tab
_images/5.png
  1. Click OK and close the certificate templates console
  2. Now you will need to move the duplicated WebServer template you created into production. In the certificate authority management console, right click the certificate templates folder and choose New-> Certificate Template to Issue
_images/6.png
  1. Issue the template you created earlier
  2. Open an administrative command prompt and type mmc and press enter
  3. Go to File Menu -> and select Add/Remove Snap-In
_images/7.png
  1. Select certificates, choose Add
_images/8.png
  1. Choose computer, next
_images/9.png
  1. Click Finish and OK
  2. Right click the Certificates->Personal-> Certificates and select All Tasks->Advanced Operations-> Create Custom Request from the fly-out menus
_images/10.png
  1. Click Next, Next and then choose the template you created earlier

20.Click the down arrow and then click Properties

_images/11.png
  1. Enter your server FQDN for the common name and click add. Also add a dns name as shown below
_images/12.png
  1. click the Private Key tab and allow the private key to be exported
_images/13.png
  1. expand the Key permissions section and add localcomputereveryone access to the private key click ok and save it to the hard drive
_images/14.png
  1. open up the certification authority management console, right click the CA and choose submit new request
_images/15.png
  1. Point it to the ssl.req file you created in the step before the previous and click Open
  2. Afterwards, open the certificate that gets created in Windows Explorer by double clicking on it
_images/16.png
  1. Install it into the Local Machine
_images/17.png
  1. Click Next and then Finish
  2. A successful import will result in a certificate being placed in the Local System MY store. The certificate issued by tag must be different than the issued to tag.
_images/18.png
  1. Click Next then Choose Yes, export the private key
_images/19.png
  1. Choose Next
_images/20.png
  1. Enter a password twice and choose next
_images/21.png
  1. Save the file to the local hard disk. The private key is confidential, so after you have finished transporting it to the destination, delete the file and zero out your hard disk by using cipher /w
  2. You are now done with generating a certificate for w3pi.
Hosted by: w3pi