Configuring SSL Certificates
For detailed information about how to set up SSL certificates for use with Spok Mobile, see the Spok Mobile Pre-Implementation Guide.
Applying the SSL Certificate to Spok Mobile
-
Log in to the Spok Enterprise Administration interface by opening a browser and navigating to
http://server/Web
-
Navigate to Administration > System Configuration > Mobile.
-
Enable the HTTPS option.
-
Make sure the SSL Port is set to 8091.
-
Select an SSL Certificate from the drop-down list.
-
Click the Save button to save the information.
-
Click the Apply button to apply the changes.
Spok Mobile will restart when you click the Apply button.
Binding Ports to the SSL Certificate
When a Spok Mobile customer installs a new certificate, they must bind the certificate to ports 443 and 8091.
You can bind to port 443 by using an IIS Administration MMC snap-in.
You can bind to port 8091 by doing the following:
-
Add the new certificate to the server. For detailed information on how to do this, see the Spok Mobile Pre-Implementation Guide.
-
In IIS Admin MMC, set up https bindings for
“amc.customer.url”
to include port 443. For detailed information on how to do this, refer to Microsoft’s technical documentation. -
Retrieve the certificate hash. You can find certificate hash in the certificate snap-in on MMC. To find it, do the following:
-
Access the certificate snap-in on MMC. The Certificate dialog will appear. For detailed information on how to do this, refer to Microsoft’s technical documentation.
-
In the Certificate dialog, click the Details tab.
-
The certificate hash will appear in the lower part of the window.
-
Before using the hash value, remove the spaces from it.
-
- Add the certificate binding to port 8091 with from a command line by running
netsh
. In the example below, replace XXXXXXXXX with the hash value without spaces. For example:
netsh http add sslcert ipport=0.0.0.0:8091 certhash=XXXXXXXXX appid={00000000-0000-0000-0000-000000000000}
Testing the SSL Certificate
-
Open a web browser and navigate to
https://SERVER:8091/
-
If the SSL certificate is valid, a web page with "Service" in the title bar will display. The page should indicate that it is a "Windows Communication Foundation service."
Fixing Ports Bound to Expired Certificates
Both port 443 and 8091 must be bound to the same certificate hash, and the certificate cannot be expired. If either of these ports are bound to an expired certificate, you may receive notifications, but no messages for those notifications. To diagnose and fix this issue, do the following:
- In a command prompt with administrator priveleges, run netsh http show sslcert to view the bindings for ports 443 and 8091. Remember the Certificate Hash to which each port is bound.
- Access IIS Manager to view the certificate's Expiration Date and Certificate Hash.
- Compare the Certificate Hash values given in IIS and the port details to ensure that the certificate to which each port is bound is not expired.
- If either port is bound to an expired certificate, navigate to the Default Web Site in IIS.
- In the Actions menu, under Edit Site, click Bindings...
- Add or remove port 443 or 8091 as appropriate.
You can also add and delete bindings from the command line using the netsh http delete and netsh http add commands. For example:
netsh http delete sslcert ipport=0.0.0.0:8091
netsh http add sslcert ipport=0.0.0.0:8091 certhash=certificate hash value
Fixing Incomplete Port Bindings
When renewing a certificate, occasionally only port 443 will be bound to the new certificate. Ensure that both port 443 and 8091 are bound to the new certificate. If both are not bound, Spok Mobile will not function. To re-bind port 8091 and resolve this issue, launch PowerShell as an administrator and do run the following:
First, confirm that the certificate is not expired.Run netsh http show sslcert to display the binding for port 443.
- Copy the certificate hash and appid for port 443.
- Run netsh http delete sslcert ipport=0.0.0.0:8091
- Run netsh http add sslcert ipport=0.0.0.0:8091 certhash=paste copied hash here appid='paste copied appid here'
- After the certificates have been bound, restart either the Spok Mobile server or IIS.
- To reset IIS, run iisreset in PowerShell.