w3pi web-server allows administrators to utilize SSL certificates for preventing eavesdropping over the network. Implementing SSL requires usage of 2 small utility programs on Windows IOT Core, as the traditional desktop gui-driven tools for managing certificates are not available. | ARM cpu | Size: 17 KB | x86 cpu | Size: 18 KB
- imports the public/private key pair into the certificate store, so the HTTP API can have access to it for encryption | ARM cpu | Size: 13 KB | x86 cpu | Size: 14 KB
- directs the HTTP API to use a specific certificate in the certificate store for a particular url namespace

HttpSetCert options:  
ipv6 - when binding to an ip address, bind to an ipv6 address as well
sni - use server-name-indication instead of binding to an ip address. The hostname parameter is used. To specify multiple hostnames, re-run the command with each seperate hostname
flags: Combine the flags by adding the numbers below
2 use user-certificate authentication
8 reject client certificates
10 disable HTTP/2
20 disable QUIC
40 disable TLS 1.3
80 disable OCSP stapling
revocationcheckmode: choose one flag below
0 perform user-certificate revocation checking
1 do not perform user-certificate revocation checking
2 only cached user-certificate revocations are used
4 the value specified in [revocationcheckttl:] option is used to determine when to check for user-certificate revocations
revocationcheckttl: a number representing the number of seconds (interval) before user-certificate revocation is checked again
revocationurltimeout: a number representing the number of milliseconds that a user-certificate revocation url has to respond before revocation fails

HttpSetCert.exe host:minwinpc port:443 certificate:minwinpc ipv6
  1. Copy the .pfx file to the device
  2. Open an ssh session to the device and run ImportPfx
  3. Next run HttpSetCert
  4. Specify /s when running w3pi and you are now running a secure webserver

To remove certificates that you have installed with these utilities:

certmgr -del -c -n minwinpc -s -r LocalMachine My
certmgr -del -c -n mydomain-CA -s -r LocalMachine Root

then navigate to c:\users\administrator\AppData\Roaming\Microsoft\Crypto and delete the private key there


After setting up the certificate and starting w3pi.exe, you may be unable to connect to the webserver remotely. To fix, try connecting via IP Address instead of hostname. If necessary, configure your DNS or hosts file. Also try inputting the FQDN instead of just a hostname.

Setup an Enterprise-CA

This section details an example of setting up an Enterprise Certificate Authority for issuing certificates.

  1. Install a windows 2012 r2 server with active directory, dhcp, dns and a certificate authority.
  2. Open up certificate authority management console and right click the certificate authority and choose properties
  3. Click the Extensions tab
  4. Select the http entry and check the 2 checkboxes as shown below
  1. select AIA from the drop down listbox and then select the http entry and check the box as shown below
  1. Now you will need to duplicate the WebServer template. In the certificate authority management console, right click the certificate templates folder and choose Manage
  1. Right click the WebServer template and choose duplicate
  2. For the compatibility , select Windows Server 2012 R2 for the authority and Windows 8 for the client
  1. Check Allow private key to be exported under the request handling tab
  1. Click OK and close the certificate templates console
  2. Now you will need to move the duplicated WebServer template you created into production. In the certificate authority management console, right click the certificate templates folder and choose New-> Certificate Template to Issue
  1. Issue the template you created earlier
  2. Open an administrative command prompt and type mmc and press enter
  3. Go to File Menu -> and select Add/Remove Snap-In
  1. Select certificates, choose Add
  1. Choose computer, next
  1. Click Finish and OK
  2. Right click the Certificates->Personal-> Certificates and select All Tasks->Advanced Operations-> Create Custom Request from the fly-out menus
  1. Click Next, Next and then choose the template you created earlier

20.Click the down arrow and then click Properties

  1. Enter your server FQDN for the common name and click add. Also add a dns name as shown below
  1. click the Private Key tab and allow the private key to be exported
  1. expand the Key permissions section and add localcomputereveryone access to the private key click ok and save it to the hard drive
  1. open up the certification authority management console, right click the CA and choose submit new request
  1. Point it to the ssl.req file you created in the step before the previous and click Open
  2. Afterwards, open the certificate that gets created in Windows Explorer by double clicking on it
  1. Install it into the Local Machine
  1. Click Next and then Finish
  2. A successful import will result in a certificate being placed in the Local System MY store. The certificate issued by tag must be different than the issued to tag.
  1. Click Next then Choose Yes, export the private key
  1. Choose Next
  1. Enter a password twice and choose next
  1. Save the file to the local hard disk. The private key is confidential, so after you have finished transporting it to the destination, delete the file and zero out your hard disk by using cipher /w
  2. You are now done with generating a certificate for w3pi.
Hosted by: w3pi