Public/MobileServer/Set-MobileServerCertificate.ps1

function Set-MobileServerCertificate {
    <#
    .SYNOPSIS
        Sets the sslcert binding for Milestone XProtect Mobile Server
 
    .DESCRIPTION
        Sets the sslcert binding for Milestone XProtect Mobile Server when provided with a certificate,
        an object with a Thumbprint property, or when the -Thumbprint parameter is explicitly provided.
 
        The Thumbprint must represent a publicly signed and trusted certificate located in
        Cert:\LocalMachine\My where the private key is present.
 
    .PARAMETER X509Certificate
        A [System.Security.Cryptography.X509Certificates.X509Certificate2] object representing a certificate
        which is present in the path Cert:\LocalMachine\My
 
    .PARAMETER Thumbprint
        The certificate hash, commonly referred to as Thumbprint, representing a certificate which is present
        in the path Cert:\LocalMachine\My
 
    .EXAMPLE
        gci Cert:\LocalMachine\My | ? Subject -eq 'CN=mobile.example.com' | Set-MobileServerCertificate
 
        Gets a certificate for mobile.example.com from Cert:\LocalMachine\My and pipes it to Set-MobileServerCertificate
 
    .EXAMPLE
        Submit-Renewal | Set-MobileServerCertificate
 
        Submits an ACME certificate renewal using the Posh-ACME module, and if the certificate is renewed, updates the
        Mobile Server sslcert binding by piping the output to Set-MobileServerCertificate. The Submit-Renewal and New-PACertificate
        cmdlets return an object with a Thumbprint property.
 
        If using Posh-ACME, you must ensure the New-PACertificate command is executed with elevated permissions, and used with the
        -Install switch so that the new certificate is installed into the Cert:\LocalMachine\My path. If you have done this, then
        subsequent executions of Submit-Renewal from an elevated session under the same user context will result the renewed certs
        being installed as well.
    #>

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact='Medium')]
    param (
        [parameter(ValueFromPipeline=$true)]
        [System.Security.Cryptography.X509Certificates.X509Certificate2]
        $X509Certificate,

        [parameter(Position = 1, ValueFromPipelineByPropertyName=$true)]
        [string]
        $Thumbprint
    )

    begin {
        $Elevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
        if (!$Elevated) {
            throw "Elevation is required for Set-MobileServerCertificate to work properly. Consider re-launching PowerShell by right-clicking and running as Administrator."
        }
    }

    process {
        try {
            $mosInfo = Get-MobileServerInfo -Verbose:$VerbosePreference
            $ipPort = "$($mosInfo.HttpsIp):$($mosInfo.HttpsPort)"
            $appId = "{00000000-0000-0000-0000-000000000000}"
            $certHash = if ($null -eq $X509Certificate) { $Thumbprint } else { $X509Certificate.Thumbprint }
            if ($PSCmdlet.ShouldProcess($ipPort, "Add/update SSL certificate binding and restart Milestone XProtect Mobile Server")) {
                if ($null -ne $mosInfo.CertHash) {
                    Remove-MobileServerCertificate -Verbose:$VerbosePreference
                }
                
                $result = netsh http add sslcert ipport=$ipPort appid="$appId" certhash=$certHash
                if ($result -notcontains 'SSL Certificate successfully added') {
                    Write-Error "Failed to add certificate binding. $result"
                    return
                }
                else {
                    Write-Verbose [string]$result
                }
                
                Restart-Service -Name 'Milestone XProtect Mobile Server' -Verbose:$VerbosePreference
            }
        } catch {
            Write-Error $_
        }
    }
}