Milestone XProtect and Tailscale VPN using SSL

This post is an evolution of Milestone XProtect Mobile Server – SSL Certificate configuration as we continue to use SSL certificate with HTTPS.

The advantage is to use Tailscale VPN which is free up to 20 devices for personal use, to avoid open HTTP/HTTPS port to external public domain.

Configure Tailscale

Configuration is super simple:

  1. Download and install Tailscale to all Windows, Linux, Android, iOS devices
  2. Login using SSO with preferred method
  3. Once logged in Admin panel
  4. Select or change your tailnet name in DNS section to register unique domain name in DNS entries
  5. Enable MagicDNS in DNS section to automatically register domain names for devices in your tailnet
  6. Enable HTTPS Certificates in DNS section to allow provision of HTTPS certificates

HTTPS Certificates allows to replace manually generated certificate by Let’s encrypt with similar certificate generated by Tailscale for specific server in tailnet name.

Generate Certificate from Tailscale

To generate SSL certificate, connect to server / PC:

  1. Open PowerShell / CMD with Run as Administrator
  2. Move to folder where the certificate will be created CD C:\Certificate
  3. Generate the certificate using tailscale command: tailscale cert "<server_name>.<tailnet_name>"
  4. Certificate file <server_name>.<tailnet_name> and Private Key file <server_name>.<tailnet_name> will be created in the current folder

Convert certificate in Windows

To be able to use certificate in IIS running in Windows 10 or 11, the certificate file must be in PFX format which include the certificate and private key together.

Windows has certutil tool capable to generate PFX file using CER and KEY file (with the same name in the same folder), but the CRT file format isn’t recognized correctly:

certutil -mergepfx "<server_name>.<tailnet_name>" "<server_name>.<tailnet_name>"

To generate PFX file online use SSL online converter website and select “Standard PEM” as current certificate to “PFX/PKCS#12”

To generate the PFX file offline you can use OpenSSL built for Windows. This is syntax to convert PEM certificate to PFX:

openssl pkcs12 -export -out "<server_name>.<tailnet_name>" -inkey "<server_name>.<tailnet_name>" -in "<server_name>.<tailnet_name>"

Import PFX certificate

Easier way is to double click on PFX file and follow certificate import wizard, remember to import in Computer Store, not in the User Store.

Automated and script version is to use PowerShell with Import-PfxCertificate cmdlet

Set-Location -Path cert:\localMachine\my
Import-PfxCertificate -FilePath "C:\Certificate\<server_name>.<tailnet_name>"

Finally, select the new certificate in Server Config of XProtect Mobile Server


Milestone XProtect Mobile Server – SSL Certificate configuration

Install XProtect PowerShell module to manage Mobile Server as reported in the video above:

Install-Module Posh-XProtectMobile

Follow this article: MileStone XProtect 2019 R2 – How to generated trusted certificate on how to get certificate via MyCertWeb and free top level domain from

Once installed in the system, Powershell will help to configure the certificate automatically:

Get-Help Set-MobileServerCertificate -examples
Sets the sslcert binding for Milestone XProtect Mobile Server when provided with a certificate, an object with a Thumbprint property, or when the -Thumbprint parameter is explicitly provided.

The Thumbprint must represent a publicly signed and trusted certificate located in Cert:\LocalMachine\My where the private key is present.

Set-MobileServerCertificate [-X509Certificate ] [[-Thumbprint] ]

You can get X509 certificate object using this command:

PS C:\WINDOWS\system32> $MyCert = gci Cert:\LocalMachine\My | ? Subject -eq ''
PS C:\WINDOWS\system32> $MyCert

 Thumbprint Subject
---------- -------

Once you have verified the certificate is correct, you can push configuration to Mobile Server with this:

Set-MobileServerCertificate -X509Certificate $MyCert
Set-MobileServerCertificate -Thumbprint <GUID>

To remove certificate at IIS level and check IIS configuration, use these:

netsh http delete sslcert ipport=

netsh http show sslcert ipport=