Open in app

Sign in

Write

Sign in

ConnectWise Control (ScreenConnect) On-Premise SSL Installation Woes… Here’s the Secret to Using an Alternate Port (not 443), Working With SSL

asheroto
7 min readMar 25, 2021

This article is assuming you are using Windows, have an on-premise installation of ConnectWise Control / ScreenConnect, and are using Server 2016/2019/2022 or Windows 10/11.

This article assumes you have been issued an SSL certificate and also have the private key. You should have ran the ScreenConnect SSL Configurator by now to create a CSR and retrieve a certificate.

As a side note, RapidSSL certificates are very inexpensive. The advantage with those over something like Let’s Encrypt is that you won’t have to renew them every 90 days! 😊

Photo by Shahadat Rahman on Unsplash

Table of Contents

· Intro
· Combining Certificates to a Single PFX File
· Import the PFX Certificate
· Removing the Existing Certificate Binding
· Binding the Certificate — Method 1
· Binding the Certificate — Method 2
· Final Changes
· Redirection
· BRAVO! 😁🤞
· ScreenConnect Scripts

Intro

My goodness, this was a head scratcher at first. Since I figured out the trick, I thought I’d share the trick to get an alternate SSL port working instead of the default 443. For the purposes of this article, we will use port 32123 instead of 443 but you may use any valid & available port number.

  1. Stop all ScreenConnect services on your server; you can easily do this in PowerShell by typing Stop-Service ScreenConnect* -Force
  2. Put all certificates on the desktop

Certificate File Types Note: crt and cer files are basically the same thing, but pfx and pem files are different. More info on the differences between certificates.

Combining Certificates to a Single PFX File

If you already have a PFX file skip this section.

If you do not have a PFX file, proceed with these steps. The final file will contain the private key and the certificate itself.

We need to combine the full chain of certificates into one certificate. This will combine the certificate with the private key, as well as any CA certificates.

  • Name the private key privateKey.key.
  • Name the certificate that was issued certificate.cer.
  • Name the CA/root certificate CACert.cer . You may not have a CA/root certificate, if not, you do not need to specify it in the command below.
  • If you have additional CA/root certificates, in the command below just append another-certfile followed by the name of the certificate.
  • You MUST specify a PFX password when prompted. If you skip specifying a password, something may not work in the later steps.

You will need OpenSSL installed on the computer. If you don’t already have it, you can retrieve the binaries from OpenSSL’s site (make sure you specify the OpenSSL path in your PATH environmental variable and restart), or if you have Chocolatey you can simply type choco install openssl to install it.

While looking at desktop with the certificates, hold Shift and right-click anywhere in the white area of the folder, then click Open PowerShell window here.

To merge the certificates, type the following command:

openssl pkcs12 -export -in .\certificate.cer -inkey .\privateKey.key -out .\certificate.pfx -certfile .\CACert.cer

In my case, I had 3 root certificates that needed to be added, so my command is:

openssl pkcs12 -export -in .\certificate.cer -inkey .\privateKey.key  -out .\certificate.pfx -certfile .\root1.crt -certfile .\root2.crt -certfile .\root3.crt

That command takes the certificate, the private key, and the three root certificates, and outputs certificate.pfx.

When setting this up for someone else, they did not have any CA certificates, so their command was like this (without the -certfile arg):

.\openssl pkcs12 -export -in .\certificate.cer -inkey .\privateKey.key -out .\certificate.pfx

Make sure to specify a PFX password! Skipping this may cause issues later.

Import the PFX Certificate

  1. Double-click certificate.pfx, specify Local Machine, click Next, click Next, provide the password if you set one, click Next, and click Next, click Finish.
  2. Click Start and type mmc and press enter. Go to File > Add/Remove Snap-ins, add the Certificates snap-in and specify Computer Account. Then open the Personal > Certificates area. Make sure you do it this way — If you open the Certificate Manager by default, it will open the User personal certificate manager, whereas we want the Local Machine personal certificates.
  3. Find the certificate you just imported. Look for the domain name and confirm the expiration date.
  4. Double-click on the certificate, click Details, then scroll near the bottom of the list and find Thumbprint. Copy the thumbprint in the box below to clipboard (Ctrl+C) or a text document for later use.

Removing the Existing Certificate Binding

If you’ve never set up ScreenConnect before, you don’t need to do this step and can skip to the next step.

If you’re replacing your existing certificate, you should perform this step.

This step will remove the existing certificate binding so we bind the new certificate.

If you are using port 443 for another service, such as Exchange or a website, do NOT specify 443 for this command or or could cause major issues for you later (go to step 3). If you don’t have Exchange or a website on port 443, you can use 443 if you’d like.

If you already have ScreenConnect set up with an SSL certificate, or if you want to use a different port, then perform this step but specify the port number you used instead of 443 for WebServerListenUri.

******************************************

Use cmd.exe or conhost.exe and not PowerShell, as the commands don’t work well in PowerShell.

******************************************

To show existing bindings:

netsh http show sslcert

To delete the existing binding (change port if needed):

netsh http delete sslcert ipport=0.0.0.0:443

In my case I ran this command:

netsh http delete sslcert ipport=0.0.0.0:32123

If you aren’t sure whether that port is in use, you can use my IsPortActive script to see if anything is currently listening on that port. If something is listening on that port, don’t use it.

Binding the Certificate — Method 1

There are two methods to bind the certificate. If the first method does not work, try the second method.

  1. Back in the cmd.exe or conhost.exe window, with the command below, replace the word REPLACE_ME in the command below with the fingerprint by pressing Ctrl+V.
  2. Replace the port number 32123 in the command below with the port number you’re using as WebServerListenUri in ScreenConnect.
netsh http add sslcert ipport=0.0.0.0:32123 certhash=REPLACE_ME appid={00000000-0000-0000-0000-000000000000}

In my case, the command is…

netsh http add sslcert ipport=0.0.0.0:32123 certhash=14d90b90d9978a210d0d6f78211238916521e123 appid={00000000-0000-0000-0000-000000000000}

If you get an error code, or any error message, you may need to perform the 2nd method.

If no error message came up and you don’t see an error number, skip to the Final Changes section and finish the configuration, then if ScreenConnect doesn’t use the right certificate, stop the ScreenConnect services again and try method 2.

Did you get The parameter is incorrect error message? Use cmd.exe or conhost.exe instead of PowerShell.

Binding the Certificate — Method 2

You don’t need to do this step if you didn’t get any errors with the first method or if ScreenConnect is working now.

  1. After downloading ScreenConnect Configurator, right-click on ScreenConnectConfigurator.zip and extract it to the same folder. Then right-click on ScreenConnectConfigurator.exe — yes, the exe — and extract it to a new folder as if it were a ZIP file. If you don’t have an option to extract the exe, install either 7-Zip or WinRAR. Right-click on the file, choose one of those options, and extract the files. If you have Chocolatey, simply type choco install 7zip or choco install winrarthen press enter.
  2. Once extracted, the folder should contain around 25 files. This folder is most likely named ScreenConnectConfigurator.
  3. Open cmd.exe or conhost.exe and not PowerShell, as the commands don’t work well in PowerShell. You can change directories with cd C:\Users\<User>\Desktop\ScreenConnectConfigurator or the folder that contains the extracted files from ScreenConnectConfigurator.exe.
  4. Replace the word REPLACE_ME in the command below with the fingerprint by pressing Ctrl+V.
  5. Replace the port number 32123 in the command below with the port number you’re using as WebServerListenUri in ScreenConnect.
httpcfg set ssl -i 0.0.0.0:32123 -h REPLACE_ME -c "LocalMachine\My"

So in my case, my command is….

httpcfg set ssl -i 0.0.0.0:32123 -h 14d90b90d9978a210d0d6f78211238916521e123 -c "LocalMachine\My"

If you’re still getting an error, make sure you are importing the certificate to the Local Machine personal certificates, and NOT the User personal certificates, as the commands won’t work with the User personal certificates.

Final Changes

Open up your web.config file and ensure you’ve configured these three lines as shown below…

<add key="WebServerListenUri" value="https://+:32123/" />
<add key="RelayListenUri" value="relay://+:32124/" />
<add key="RelayAddressableUri" value="relay://subdomain.yourDomain.com:32124/" />

Whenever you deploy/install/reinstall a remote agent, it will reflect the above settings and automatically connect.

Make sure your DNS settings are correct and that you’ve forwarded the appropriate ports if necessary (and added firewall exceptions).

Cloudflare Note: if you are using CloudFlare, make sure you click the orange cloud next to the DNS record so it says DNS Only (not orange cloud), otherwise ScreenConnect won’t work correctly.

Relay Note: you don’t need to bind the certificate to your RelayListenUri port because it uses its own method for SSL. You only need to bind it to your WebServerListenUri port.

Redirection

If you want to make it easy to get to your ScreenConnect URL, you might consider using a service like bit.ly or kutt.it to set up a redirect.

That way you could have

https://bit.ly/your-SC-URL

Redirect to your instance’s URL.

BRAVO! 😁🤞

It should now be installed!

Please let me know if you face any trouble. My goal is to help the next tech and pay it forward. Comments welcome.

ScreenConnect Scripts

I have created a collection of ScreenConnect scripts that I thought I’d share. These scripts enable you to backup, update, start, stop, and restart ScreenConnect.

You can find them on this repository…

GitHub - asheroto/ScreenConnect-Scripts: Small collection of simple PowerShell scripts to help…

Small collection of simple PowerShell scripts to help ScreenConnect / ConnectWise Control start, stop, restart, backup…

github.com

Consider becoming a Medium member if you appreciate reading stories like this and want to help me as a writer. It costs $5 per month and gives you unlimited access to Medium content. I’ll get a little commission if you sign up via my link.

Screenconnect
Install
Connectwise
Ssl
Certificate

--

--

asheroto

Written by asheroto

24 Followers

🌎 Full Stack Developer 🔗 Systems Administrator 😎Innovation through Automation ✔ Privacy Advocate ♥ Startup Facilitator

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams