Basically there are 4 steps involved in installing a certificate to be used with IntraWeb Http.sys applications:
- Obtaining the certificate (it can be a free Let’s Encrypt certificate – which is valid for 3 months and need to be renewed/requested again at the end of this period, or a paid one with a longer validity period)
- Converting the certificate to PKCS12 format (this is the format that must be installed on Windows)
- Installing the PKCS12 certificate on the server
- Binding the certificate to the application
All these tasks can be done using our own exclusive tool, IWCertificateManager that you can find with every IntraWeb installation. If you are not using the latest IW version, please update your IWCertificateManager, downloading the new version here:
We will assume that you don’t have a certificate yet, and you want to use a free one from Let’s Encrypt (referred to as LE from now on).
In order to request a LE certificate your IntraWeb application must be running on the server, using the standard HTTP port 80. You can even use the debugging version of the application (Indy-based or Http.sys, it doesn’t matter). You don’t need to install it as a service for now. It just needs to be running and listening to the HTTP port 80.
This is because LE requires you to prove that you own the server. The process is basically this: LE will give you a small text file containing a secret key. You will copy this file to your server (the one that responds to the domain you want to create a certificate for, e.g. “yourdomain.com”) and LE will request that same file to the server shortly after that. If the file is there (i.e. LE can download it from your “yourdomain.com” server) it proves that you own the server. Simple but smart, isn’t it?
Now, let me describe in detail each one of the four steps involved in the creation and installation of a SSL certificate to be used with your IntraWeb Http.sys application:
- yourdomain_com.crt (the certificate itself, in PEM format)
- yourdomain_com_private.pem (the private key file, in PEM format)
- LE.crt (the CA certificate file in PEM format, i.e. LE root certificate)
- LE_Account_Cert_4096.pem (your account in LE server certificate. You won’t need this file to run your application. Is nice – not mandatory – to keep it when you need to renew it)
2.1) Still using the IWCertificateManager, now choose “Convert PEM Certificates to PKCS12”. Fill in all the required fields below. Choose a password (that you must have in order to install it later) and a friendly name for your certificate. This name will be visible when you install/register it on the Windows store, on the server, so choose a name that you can relate to your site/application.
2.2) Click on “Execute” and a new file with the same name with a .pfx extension will be created in the same folder. This file alone is the one you need to install on your Windows server. The pfx file is all the other files combined in a single file, and protected by that password that you provided.
3) Installing the PKCS12 certificate (pfx file):
The certificate is now installed on your Windows machine, but we still need to inform which URL will be using it. This is done in the next section.
4.2) Fill in all fields. In general you won’t use the IP number, only the host name (i.e the DNS name of your server). Please remember to use port 443, the standard HTTPS port. See my example below: