Well got the first key to work fine, having issues trying to use a ssl key. Got it working with personal certs, but having a tough time regenerating a new one now. Will keep trying. I did have to export the cert thru IE and export the private key. I have another idea I'm trying from an IIS doc I found, will let you know.

-Mike

I will try to use SelfSSL from Microsoft to create a certificate under Windows XP. Will be working on it tonight.

Rene

Just got it, but was kind of backwards... I had to generate a new key thru what I found here:
http://www.msexchange.org/tutorials/..._OWA_2003.html

Once done, go back into IIS, export the pfx, note the password you use, then save the file. Go back to HS, copy in the new pfx, specify the password you exported with and it worked. Warnings are now gone. I did also notice that the lock disappears, maybe due to the insecure parts on that page?

-Mike

Ok, the lock *will* disappear if you say yes to display the insecure content... but if you say no (everything will still show up, odd), but the lock *will* remain showing it's encrypted.

Also note... if you generate the key to it's internal name, ie the computer name, internally you will NOT getting the warning about the ssl cert being invalid. However if you access from the outside (ie foo.dyndns.org), you will as the certs won't match. You will have to generate the key based on the external name, or else just ignore the warning.

Sorry for the multiposts, just got a bit over excited

-Mike

mloebl,

Got it working under XP using Selfssl, Wife is calling for dinner, will create a procedure (cook Book) on how to do it..

Want to work on it together?

Later

Rene

Thanks for the feedback guys, look like the code is working ok, just need to get the procedure to generate your own certificate. It would be great if you could document a way to do it so anyone with Windows XP Home could do it. Not sure if that is possible without some external tools. If XP Professional is required, we'll just have to document that.

Rich,

Thanks for your support in getting SSL.

I do not have a XP home computer, but I don't believe XP professional will be required. Most likely the user will have to download some free software from Microsoft.

More details to follow.

Rene

Works for me

-Mike

Mike,

what I have done so far on my laptop, (havent touched the SBS 2003 server) is the following:

1- Installed IIS.
2- Downloaded IIS 6.0 resource kit from Microsoft (free) from here
(thanks Karls (Steven))

http://www.microsoft.com/downloads/d...displaylang=en


3- Installed the resource kit, but only the SelfSSL portion of it (do a custom installation)
4 -Select on "All Programs" IIS Resources and then SelfSSL.
5 -As you must have notice it opens a command window and shows you the default parameters use by the program.
6- Create a cert with the proper parameters (still working on the right parameters to eliminate all of the warnings when installin the certificate)
7- You have now created a certificate, unfortunately is not in the PFX format needed for Homeseer.
8- Now using the MMC certificate add-in convert it to a PFX (read the following Microsoft Technet document on how to do it.)

http://support.microsoft.com/default...232136&sd=tech

9- Move the certificate to the Homeseer folder.

10-Change the cert file name to the name you used, and enter the password you used in step 8 on the Web Setup screen of Homeseer.

and BINGO.


Now I need to see if I can use an IP address instead of a FQDN.

Rene

PS: Please let me know of omissions, errors or mistakes...

Rene,

Here's what you have to do for Windows 2003 based keys from IIS. I do not believe the OS of the Homeseer machine matters. There may be an easier way, but I haven't found it yet. I know you can generate www server certs thru the www page, but it doesn't seem to allow you to export the pfx that you need.

1. Follow directions on this site for installing IIS and Certificate certs in Windows 2003 if you don't already have it installed:
http://www.msexchange.org/tutorials/..._OWA_2003.html
Note: You can disable IIS when done as to not conflict OR you can do it on a spare machine, it does NOT have to be the Homeseer system to be generated.
2. Once the key has be generated, it will need to be exported again: Click Start > Administrative Tools > Internet Information Services (IIS) Manager
3. Expand Websites > Right-click Default Website then select Properties
4. Now select the Directory Security tab under Secure Communications and click Server Certificate
5. Choose "Export the current certificate to a .pfx file" from the radio buttons and press next
6. In the next wizard page, choose a file location and save your .pfx file.
7. Enter the password
8. Copy the .pfx file to the Homeseer directory
9. In Homeseer setup enter the .pfx file and enter the password from step 7

-Mike

Mike,

I think we are never going to get rid of all of the warnings, unless the HS computer has the following:

1- A domain name, I think a dynamic address with one of the many name to IP DNS service will do (I have a static IP address)

2- And more important the computer MUST have a public IP address,

In other words, It cannot be behind a router with NAT turned on, as the IP address of the computer will be a 10.... 172.... or 192... and will never match the address of the name resolution provided by DNS,

We should be able to publish a cert that will work perfectly with an internal address, but it will always give some warning if you are behind NAT, and who isn't ?

Unless you and the server are in the private network and likely part of a domain, and then your own DNS will resolve your server name/domain to the corresponding internal IP address.

Need to research and sleep on it.

Mike, any thoughts??

Rene

Rene,

Here's what I've got... I set my ssl cert to use my dyndns.org fqdm. From externally, it will allow me to connect and NOT give any warnings other than the one glitch for the secure/insecure that Rich knows about. However, if I connect internally thru https, I *will* get a warning as the certificate has my external name associated with it. Vice versa if I generate a key based on the HS machine name, internally no warnings, but externally you will get warnings. I figured that internally I don't need https, so the external domain name is what I use.

Hope that makes sense, if not, let me know.

-Mike

Rene,
Here is the link for the Microsoft IIS Resource Kit. please add to your docs.

http://www.microsoft.com/downloads/d...displaylang=en

This link will only work with xp pro or windows 2003 server.

Thanks,

Steven

Thanks Steven,

I has downloaded the resource kit a while ago, and was not sure where it was located.

Have you tried the basic cookbook?

Rene