Milestone XProtect Mobile Server – SSL Certificate configuration

Install XProtect PowerShell module to manage Mobile Server as reported in the video above:

Install-Module Posh-XProtectMobile

Follow this article: MileStone XProtect 2019 R2 – How to generated trusted certificate on how to get certificate via MyCertWeb and free top level domain from http://My.dot.tk

Once installed in the system, Powershell will help to configure the certificate automatically:

Get-Help Set-MobileServerCertificate -examples
Sets the sslcert binding for Milestone XProtect Mobile Server when provided with a certificate, an object with a Thumbprint property, or when the -Thumbprint parameter is explicitly provided.

The Thumbprint must represent a publicly signed and trusted certificate located in Cert:\LocalMachine\My where the private key is present.

Set-MobileServerCertificate [-X509Certificate ] [[-Thumbprint] ]

You can get X509 certificate object using this command:

PS C:\WINDOWS\system32> $MyCert = gci Cert:\LocalMachine\My | ? Subject -eq 'CN=my.domain.tk'
PS C:\WINDOWS\system32> $MyCert

 Thumbprint Subject
---------- -------
<GUID> CN=my.domain.tk 

Once you have verified the certificate is correct, you can push configuration to Mobile Server with this:

Set-MobileServerCertificate -X509Certificate $MyCert
Set-MobileServerCertificate -Thumbprint <GUID>

To remove certificate at IIS level and check IIS configuration, use these:

netsh http delete sslcert ipport=0.0.0.0:8082

netsh http show sslcert ipport=0.0.0.0:8082

MileStone XProtect 2019 R2 – How to generated trusted certificate

MileStone Essential+ is great video surveillance software which support 8 cams for free and it’s design to expand to more with paid versions.

I use it at home with 4 cameras and new version 2019 R2 enforce a new level of security to use trusted certificates and deprecate old self-signed certificate which most mobile OSes refuse to verify.

Easiest way to generate it is via CertifyTheWeb which will generate a free SSL certificate for 3 months and you can renew it for free.

I used Azure DNS validation to confirm I own the website and publish it automatically on my local ISS website.

To get a public website, you can use my.dot.tk