We recently had some problems with network access which required us to change the service URL for ImageVault from using an IP address to use a hostname instead. This is described in the ImageVault documentation but as this was a bit tricky, I thought I’d share my experiences.
First off, the documentation is straight to the point describing the progress but my installation failed on the first step when generating the certificate.
Turns out you need to add the root certificate to the local machine store, otherwise the makecert.exe command will fail. So, locate the root cert (it’s in C:\Program Files (x86)\EPiServer\ImageVault\<image vault version>\RootCA, named ImageVaultDefaultRootCA.pfx and double click the file. Run the wizard and change Store Location to “Local Machine” in the first page, click Next and Next again on the File to import page. At the third page, enter the password (hint: the password is iv) and hit Next again. At the certificate store page, select “Place all certificates in the following store” and hit Browse… Check the “Show physical stores” checkbox and select “Third-Party Root Certification Authorities”, click Ok and then Next, review the details and click Finish. This will install the root cert as a trusted CA on the local computer.
Right, next step is to generate a new certificate for the server. We’ll just assume that the hostname of our server is “IVSRV01”, replace this with your server host name below.
Open up a command prompt as administrator and go to the ImageVault installation directory\Tools (i.e. C:\Program Files (x86)\EPiServer\ImageVault\<image vault version>\Install\Tools) and fire of this command:
makecert.exe -pe -n "CN=IVSRV01, O=Meridium, OU=Dev, L=Kalmar, C=SE" -ss my -sr LocalMachine -a sha1 -sky exchange -eku "1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2" -in "ImageVault Default Root CA" -is Root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
If everything worked, the command should just give a message that says “Success”, if not, check that the root cert was installed correctly (as above).
A certificate has already been assigned to the serverip-port combination and we’ll need to remove this. Type netsh http show sslcert in the command window. The console should show that a certificate is installed, make a note of the IP and port under SSL Certificate bindings (next to IP:port) and remove the cert by running the following command:
netsh http delete sslcert <ip:port>
Verify that the certificate has been removed by running netsh http show sslcert again.
Next step will be to assign the new certificate to the hostname and port in order to do that, we’ll need the certificate thumbprint. This can be done a number of ways, but an easy way is to execute this powershell command (just type powershell in the console window to start a powershell session)
Get-ChildItem -path cert:\LocalMachine\My | Where-Object {$_.Subject -like 'CN=IVSRV01*'} | Select Thumbprint | clip
Again, replace the IVSRV01 string to whatever hostname your server should be using. This will retrieve the certificate and put it in your clipboard (thanks to | clip at the end, remove that to just output to console).
Let’s tie this up! We need to assign the certificate to the port. Instead of assigning a specific IP, we’ll use 0.0.0.0:<port> to have the server use the cert regardless on IP.
netsh http add sslcert ipport=0.0.0.0:<PORT TO USE> certhash=<PLACE THUMBPRINT HERE> appid="{99BC3EDA-E00F-407A-9D42-ED081667F541}"
Verify that the certificate has been assigned by running netsh http show sslcert again.
Last steps: configure the core service and clients to use the hostname instead of IP. This is done by updating the core config ImageVault.Core.Host.config, change the IP to the hostname and do the same thing for the clients by updating ImageVaultClient.config file.
Phew. Simple as a dimple, right? Eh. From now on I’ll be using hostnames instead of IP when installing ImageVault.
Leave a Reply