Milestone XProtect and Tailscale VPN using SSL

This post is an evolution of Milestone XProtect Mobile Server – SSL Certificate configuration as we continue to use SSL certificate with HTTPS.

The advantage is to use Tailscale VPN which is free up to 20 devices for personal use, to avoid open HTTP/HTTPS port to external public domain.

Configure Tailscale

Configuration is super simple:

  1. Download and install Tailscale to all Windows, Linux, Android, iOS devices
  2. Login using SSO with preferred method
  3. Once logged in Admin panel
  4. Select or change your tailnet name in DNS section to register unique domain name in DNS entries
  5. Enable MagicDNS in DNS section to automatically register domain names for devices in your tailnet
  6. Enable HTTPS Certificates in DNS section to allow provision of HTTPS certificates

HTTPS Certificates allows to replace manually generated certificate by Let’s encrypt with similar certificate generated by Tailscale for specific server in tailnet name.

Generate Certificate from Tailscale

To generate SSL certificate, connect to server / PC:

  1. Open PowerShell / CMD with Run as Administrator
  2. Move to folder where the certificate will be created CD C:\Certificate
  3. Generate the certificate using tailscale command: tailscale cert "<server_name>.<tailnet_name>"
  4. Certificate file <server_name>.<tailnet_name> and Private Key file <server_name>.<tailnet_name> will be created in the current folder

Convert certificate in Windows

To be able to use certificate in IIS running in Windows 10 or 11, the certificate file must be in PFX format which include the certificate and private key together.

Windows has certutil tool capable to generate PFX file using CER and KEY file (with the same name in the same folder), but the CRT file format isn’t recognized correctly:

certutil -mergepfx "<server_name>.<tailnet_name>" "<server_name>.<tailnet_name>"

To generate PFX file online use SSL online converter website and select “Standard PEM” as current certificate to “PFX/PKCS#12”

To generate the PFX file offline you can use OpenSSL built for Windows. This is syntax to convert PEM certificate to PFX:

openssl pkcs12 -export -out "<server_name>.<tailnet_name>" -inkey "<server_name>.<tailnet_name>" -in "<server_name>.<tailnet_name>"

Import PFX certificate

Easier way is to double click on PFX file and follow certificate import wizard, remember to import in Computer Store, not in the User Store.

Automated and script version is to use PowerShell with Import-PfxCertificate cmdlet

Set-Location -Path cert:\localMachine\my
Import-PfxCertificate -FilePath "C:\Certificate\<server_name>.<tailnet_name>"

Finally, select the new certificate in Server Config of XProtect Mobile Server