MeshCentral – Certificate installation

MeshCentral - Certificate installation

MeshCentral is a remote support OpenSource platform. It runs on Windows or Linux and needs to be self hosted.

While it supports Let’s Encrypt (letsencrypt.org) certificates, this is not always a possible option. Issues you can run in to are:

  • port 80 incoming is blocked by your internet provider
  • your DNS provider does not support the ACME protocol needed

Of course, you also could just simply want to create your own certificate. To do so you go to your regular CA (certificate authority) provider and get your certificate issued. You can do so by simply engaging Windows IIS, request a new certificate per CSR, have it issued and finalize the request in IIS. Your last step is to export it including the private key.

Transfer this file now to your MeshCentral server (just use MeshCentral to transfer the file). Next you will need OpenSSL – what is often pre-installed on Linux and Raspberry, on Windows you will need to download it separately.

OpenSSL is used on the command line to extract the unencrypted key and the separate the certificate so MeshCentral can use it. Follow the next steps – while we assume your source certificate file is named source.pfx.

  1. openssl pkcs12 -in source.pfx -nocerts -out encryptedkey.key
    1. this will ask for the password for source.pfx
    2. it will also ask and have you confirm a new password (can be the same) for the destination file
  2. openssl rsa -in encryptedkey.key -out webserver-cert-private.key
    1. it will ask your for the new password of the file you created in step 1
    2. this will overwrite the webserver-cert-private.key file with a passwordless key-file as needed by MeshCentral
  3. openssl pkcs12 -in source.pfx -clcerts -nokeys -out webserver-cert-public.crt
    1. this will ask for the password for source.pfx
    2. it will overwrite the webserver-cert-public.crt file with the public part of your certificate

Now reboot the MeshCentral service/server and open a new browser window, you certificate should work now.


Monitor multiple website certificates with a single PRTG sensor

Monitor multiple website certificates with a single PRTG sensor

Due to a request on the PRTG KB of someone needing a single sensor that monitors multiple URLs for their certificate expiration I came up with the following script that is posted on this PRTG KB as well. The modified PowerShell script was provided there – it is mentioned it sourced from Stack Overflow – I found it on this link: https://stackoverflow.com/questions/28386579/modifying-ssl-cert-check-powershell-script-to-loop-through-multiple-sites

The result would look like this:

To make it more usable – you can input parameters from PRTG like this:

or this for limits – warning 60 and error 10 – you could name them but this should work as well…

And here is the modified script: