With the powers that be reducing certificate issuance periods to an unmanageable 47 days, I wanted to automate the whole thing. So I developed this powershell script that does a lot of the heavy lifting. You need to start with BI6 using its NATIVE TLS webserver support. This process will not work if you are using STUNNEL or some other front end proxy.
Install win-acme on your BI server. Save this powershell script on a local drive on your BI server (no spaces in your path). Edit the win-acme settings.json file, open in notepad and search for "PrivateKeyExportable". Change it from false to true. Save that. Edit the powershell file you saved in notepad. You will find a variable here "$CertDomain = 'server.domain.com'". You will need to put the cert common name you are going to use here inside the single quotes. If you specify something different from what you do going through the WACS step 2 below this script will not work.
1.)Run the win-acme UI by running wacs.exe.
2.)Choose M to run the full options flow. Unless you have IIS installed, you will get the message that it cannot find IIS.
3.)Choose Manual (2). Here you will type in your certificate CN. So if you currently have as your UI3 site you will enter it here as cameras.myhome.org and hit enter
4.)Hit Enter again unless you want to pretty up the name
5.)Choose #4 to only generate a single cert.
6.)I chose #2 as my verification method. In order for this to work you must be pointing port 80 through your router to your BI server. If you are familiar with ACME processes, you will know how to work through these options. All of this so far is standard fare for win-acme so choose what you want. If you never used an ACME client, the most straightforward way for a novice is to turn off port 80 in the BI webserver config and "port forward" both 443 and 80 to your BI server IP. Your "cameras.myhome.org" MUST also be an A record in your DNS. If you are CNAMEing it over to Duck DNS this will not work. Don't use duck DNS, use an app or script that leverages your DNS hosts' API key to keep your dynamic IP for the A record up to date. But I am not getting into that here.
7.)Choose 2 for an RSA key
8.)Choose 4 to store the cert in your Windows Cert store.
9.)Choose 2 for the default store
10.)Choose 5 for No More store steps
11.)Choose 2 for "Start external script or program". Here you will provide the FULL PATH of the PowerShell you saved. For example: c:\script\Renew-BlueIrisCert.ps1 If you choose a path with a space in it this script will fail when it runs. Press enter.
12.)After you pressed enter a list will appear. These are variables that win-acme has that it can pass to the powershell as a variable. You only want {CertThumbprint}. So you literally type that in at the "parameters:" prompt. Curly brackets and all. Hit enter.
13.)Choose No additional installation steps.
The instant you choose No Additional Installation steps, it's going to go out and try to get your cert. Once it gets the cert, it's going to run the powershell. The powershell is going to find the cert in the windows cert store by the CN name you specified when you edited the powershell variable $CertDomain = 'server.domain.com'. Once it finds it, it's going to look up in Blue Iris where you have ALREADY stored the current PFX file, what the file name is and also the PFX password in the Webserver UI tab. It will rename the current cert by appending BAK with the datetime in it. Then it will export the cert as a PFX to that location using the same name and password. After that is complete, it will restart the BI service.
Then, you are going to get prompted by win-acme if you want to specify the user that the scheduled task runs as. I chose no. It creates the task as a LOCAL SYSTEM service which should have enough permissions to do everything. If you want you can choose Y and specify your administrator user if you want.
Then you can choose to quit and thats it. There will be a scheduled task created that will handle all of this automatically as the cert nears expiration. If you change the location of the script file or its name, you will break this. The script will pull the BI variables each time it runs so if you change the UI3 PFX file name, path or password it will not break it because it will use the new values next time it runs.
To summarize, win-acme runs as YOU WANT it. All I did was create the script to "integrate" win-acme into Blue Iris 6. Remember, your UI3 must ALREADY be running a successful native TLS secure site on a custom domain.
Good luck everybody!
Install win-acme on your BI server. Save this powershell script on a local drive on your BI server (no spaces in your path). Edit the win-acme settings.json file, open in notepad and search for "PrivateKeyExportable". Change it from false to true. Save that. Edit the powershell file you saved in notepad. You will find a variable here "$CertDomain = 'server.domain.com'". You will need to put the cert common name you are going to use here inside the single quotes. If you specify something different from what you do going through the WACS step 2 below this script will not work.
1.)Run the win-acme UI by running wacs.exe.
2.)Choose M to run the full options flow. Unless you have IIS installed, you will get the message that it cannot find IIS.
3.)Choose Manual (2). Here you will type in your certificate CN. So if you currently have as your UI3 site you will enter it here as cameras.myhome.org and hit enter
4.)Hit Enter again unless you want to pretty up the name
5.)Choose #4 to only generate a single cert.
6.)I chose #2 as my verification method. In order for this to work you must be pointing port 80 through your router to your BI server. If you are familiar with ACME processes, you will know how to work through these options. All of this so far is standard fare for win-acme so choose what you want. If you never used an ACME client, the most straightforward way for a novice is to turn off port 80 in the BI webserver config and "port forward" both 443 and 80 to your BI server IP. Your "cameras.myhome.org" MUST also be an A record in your DNS. If you are CNAMEing it over to Duck DNS this will not work. Don't use duck DNS, use an app or script that leverages your DNS hosts' API key to keep your dynamic IP for the A record up to date. But I am not getting into that here.
7.)Choose 2 for an RSA key
8.)Choose 4 to store the cert in your Windows Cert store.
9.)Choose 2 for the default store
10.)Choose 5 for No More store steps
11.)Choose 2 for "Start external script or program". Here you will provide the FULL PATH of the PowerShell you saved. For example: c:\script\Renew-BlueIrisCert.ps1 If you choose a path with a space in it this script will fail when it runs. Press enter.
12.)After you pressed enter a list will appear. These are variables that win-acme has that it can pass to the powershell as a variable. You only want {CertThumbprint}. So you literally type that in at the "parameters:" prompt. Curly brackets and all. Hit enter.
13.)Choose No additional installation steps.
The instant you choose No Additional Installation steps, it's going to go out and try to get your cert. Once it gets the cert, it's going to run the powershell. The powershell is going to find the cert in the windows cert store by the CN name you specified when you edited the powershell variable $CertDomain = 'server.domain.com'. Once it finds it, it's going to look up in Blue Iris where you have ALREADY stored the current PFX file, what the file name is and also the PFX password in the Webserver UI tab. It will rename the current cert by appending BAK with the datetime in it. Then it will export the cert as a PFX to that location using the same name and password. After that is complete, it will restart the BI service.
Then, you are going to get prompted by win-acme if you want to specify the user that the scheduled task runs as. I chose no. It creates the task as a LOCAL SYSTEM service which should have enough permissions to do everything. If you want you can choose Y and specify your administrator user if you want.
Then you can choose to quit and thats it. There will be a scheduled task created that will handle all of this automatically as the cert nears expiration. If you change the location of the script file or its name, you will break this. The script will pull the BI variables each time it runs so if you change the UI3 PFX file name, path or password it will not break it because it will use the new values next time it runs.
To summarize, win-acme runs as YOU WANT it. All I did was create the script to "integrate" win-acme into Blue Iris 6. Remember, your UI3 must ALREADY be running a successful native TLS secure site on a custom domain.
Good luck everybody!
Last edited:
