Setting custom certificate on YSoft SafeQ Mobile Integration Gateway web interface

YSoft SafeQ Mobile Integration Gateway comes with pre-installed self-signed certificate, thus all the communication is always encrypted. However, this certificate may be untrusted, because it was not generated specifically for your machine.

The following guide will help you specify usage of your certificate, trusted in your environment.

There are two ways of managing the server certificate:

  • Using Command line

  • Using Mobile Integration Gateway administration

Command line

Certificate requirements

  • The certificate must be signed by a certification authority trusted in your environment.

  • Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names and IP addresses) used for connection to the Mobile Integration Gateway .

  • For importing the certificate you need it in an appropriate format - Personal Information Exchange (.pfx file) containing the private key and whole certificate chain.

In case your key/certificate is in a different format than Personal Information Exchange, you can convert it following the guide in Conversions between different keystores and certificate types.

In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Java Keystore format chapter in System communication hardening.

Configuring Mobile Integration Gateway to use secure communication channel

  1. Copy your key/certificate in the Personal Information exchange format to the server where the Mobile Integration Gateway is installed.

  2. Import the key with signed certificate to Windows Certificate store.
    In Windows Server 2012 use the following command:

    certutil.exe -importpfx "My" "safeqcertificate.pfx"

    In the Windows Server 2008 use the following command:

    certutil.exe -importpfx "safeqcertificate.pfx"
  3. Map the certificate to the Mobile Integration Gateway port:

    netsh http delete sslcert ipport=0.0.0.0:portNum
    netsh http add sslcert ipport=0.0.0.0:portNum appid={e30002ed-301d-4c40-a94e-d4360173fd81} certhash=000102030405060708090a0b0c0d0e0f10111213

    Default port for Mobile Integration Gateway is 8050.

    The value of certhash is thumbprint (SHA1 hash) of a certificate stored in Windows certificate store, in Local Computer \ Personal folder. You can obtain the thumbprint by opening the certificate (.cer or .crt) file in Windows. In the Details tab you can find the Thumbprint field. Remove spaces and make sure there are no invisible characters when copying the value from the window (it adds an invisible character at the beginning!).

Mobile Integration Gateway administration

Mobile Integration Gateway provides a web interface for configuring Mobile Integration Gateway service. After log in, administrator can modify announced printer name and location and manage server certificates, i.e. create a certificate signing request and upload back the signed certificate chain, which will then be used for HTTPS connection to the Mobile Integration Gateway .

  1. Go to https://mig_ip:port/administration

    Default port for Mobile Integration Gateway administration is 8050.

  2. In the Certificates tab select Generate certificate signing request.

    images/download/attachments/160484400/MIG1.png

  3. Fill in the form when you are prompted. Common name field is required and should contain valid server domain name.
    images/download/attachments/160484400/MIG2.png

  4. By clicking Generate certificate signing request button on correctly filled in form, private key and certificate signing request are generated and downloaded via web browser.

  5. Sign your request (downloaded .csr file) with your certification authority. Or, in case you want to use external certification authority, send the created certificate signing request to them for signing. You will receive your signed certificate (usually .crt file) along with the certificate of this authority.

  6. Select Upload certificate in the Certificates tab in the Mobile Integration Gateway administration.

  7. Upload signed certificate by selecting certificate *.crt and private key *.key file. If password was specified for private key, when generating certificate signing request, the same password needs to be filled in when uploading signed certificate. Uploaded certificate is added to Windows Certificate Store and then mapped to be used directly with Mobile Integration Gateway 's port.

    images/download/attachments/160484400/MIG3.png

    The certificate file (.crt) needs to contain all the certificates in the chain in a specified order. The first is a certificate of Mobile Integration Gateway . Each following certificate belongs to the authority who signed the previous certificate directly. The last one belongs to the root certification authority.