Creating and Installing a certificate for your IntraWeb Http.sys applications

Basically there are 4 steps involved in installing a certificate to be used with IntraWeb Http.sys applications:

  1. Obtaining the certificate (it can be a free Let’s Encrypt certificate – which is valid for 3 months and need to be renewed/requested again at the end of this period, or a paid one with a longer validity period)
  2. Converting the certificate to PKCS12 format (this is the format that must be installed on Windows)
  3. Installing the PKCS12 certificate on the server
  4. Binding the certificate to the application

All these tasks can be done using our own exclusive tool, IWCertificateManager that you can find with every IntraWeb installation. If you are not using the latest IW version, please update your IWCertificateManager, downloading the new version here:

IntraWeb Certificate Manager

We will assume that you don’t have a certificate yet, and you want to use a free one from Let’s Encrypt (referred to as LE from now on).

In order to request a LE certificate your IntraWeb application must be running on the server, using the standard HTTP port 80. You can even use the debugging version of the application (Indy-based or Http.sys, it doesn’t matter). You don’t need to install it as a service for now. It just needs to be running and listening to the HTTP port 80.

This is because LE requires you to prove that you own the server. The process is basically this: LE will give you a small text file containing a secret key. You will copy this file to your server (the one that responds to the domain you want to create a certificate for, e.g. “yourdomain.com”) and LE will request that same file to the server shortly after that. If the file is there (i.e. LE can download it from your “yourdomain.com” server) it proves that you own the server. Simple but smart, isn’t it?

Now, let me describe in detail each one of the four steps involved in the creation and installation of a SSL certificate to be used with your IntraWeb Http.sys application:

1) Obtaining a free LE certificate:
1.1) Run IWCertificateManager and chose “Request Let’s Encrypt Certificate”. Please make sure you have the latest version of IWCertificateManager.

1.2) Fill in all required fields. For the “The Let’s Encrypt URL” you can use the “staging” one to test/simulate the process and the other (shown above) to do the real certificate request.
For the “Challenge Directory”, choose a path where your IntraWeb application is physically installed + ‘\acme-challenge\’. This way you won’t need to manually copy files when requesting the certificate. In my example above, the application would be in the “C:\Certificates\” folder.
Please notice that your IW application must be compiled with the option ServerController.SSLOptions.EnableACME = True. Otherwise the application won’t respond to the LE request.
1.3) Then you will click “Execute”. The certificate manager will start the communication protocol with LE servers and if everything is OK, you will see a popup message like this:

At this stage, the files will be already saved to your folder “C:\Certificates\acme-challenge\”. If your application is running and the folder was chosen as we recommended on item 1.2 above you don’t need to manually copy the files. If not, then you need to copy the files to the application directory, in a subfolder named “acme-challenge” before clicking on “OK” button above.
 
1.4) After copying the files, just click OK. The IWCertificateManager will connect once again to the LE servers and inform them that the files are ready. Then the LE servers will try to download the file from your “yourdomain.com” server. Your IW application is by default prepared to serve those files, as long as the property ServerController.SSLOptions.EnableACME is TRUE, as we mentioned above.
 
1.5) If LE succeeds it will provide the certificate and other files and the IWCertificateManager will copy them to the working directory.
 
The files copied should be: 
  • yourdomain_com.crt (the certificate itself, in PEM format)
  • yourdomain_com_private.pem (the private key file, in PEM format)
  • LE.crt (the CA certificate file in PEM format, i.e. LE root certificate)
  • LE_Account_Cert_4096.pem (your account in LE server certificate. You won’t need this file to run your application. Is nice – not mandatory – to keep it when you need to renew it)
 
2) Converting the LE certificate to PKCS12 format:
The certificate provided by LE is by default in PEM format. Windows requires the certificates to be in PKCS12 format in order to be installed. Now you will learn how to use IWCertificateManager to convert the received certificate.

2.1) Still using the IWCertificateManager, now choose “Convert PEM Certificates to PKCS12”. Fill in all the required fields below. Choose a password (that you must have in order to install it later) and a friendly name for your certificate. This name will be visible when you install/register it on the Windows store, on the server, so choose a name that you can relate to your site/application.

2.2) Click on “Execute” and a new file with the same name with a .pfx extension will be created in the same folder. This file alone is the one you need to install on your Windows server. The pfx file is all the other files combined in a single file, and protected by that password that you provided.

3) Installing the PKCS12 certificate (pfx file):

3.1) Still using the Certificate Manager, now choose, install certificate.
3.2) Select the pfx file generated in the previous section and select open. You will be prompted for the pfx file password. Inform the same password that you provided when you generated the pfx file (item 2 above).
You will then see that the certificate has been installed on your server:

The certificate is now installed on your Windows machine, but we still need to inform which URL will be using it. This is done in the next section.

4) Binding the certificate:
 
Binding a certificate is linking a specific certificate already installed on Windows store to a specific address. This means that we want Windows to use our “yourdomain.com” certificate above when responding to all requests to “https://yourdomain.com” addresses.
 
4.1) Still using the certificate manager, now choose “Add binding”:

4.2) Fill in all fields. In general you won’t use the IP number, only the host name (i.e the DNS name of your server). Please remember to use port 443, the standard HTTPS port. See my example below:

4.3) Select the correct certificate using the button in the “Certificate Thumbprint” edit box. See above.
 
4.4) Click on the button in the “Application ID” edit box to generate a random unique Application ID for your app. Then click on Add.
 
4.5) If everything is correct, the binding will be successful. You can see the binding in the “SSL Binding” link. See my example below. Please notice that the certificate is installed and bound to your domain name and port number. Now, every incoming HTTPS request addressed to that URL:Port will use that certificate. Everything is managed by Windows, transparently. Your application doesn’t even know about the certificate…

You can now just run your application as an HTTP.SYS application (correctly set to use HTTP on port 80 and HTTPS on port 443) and it will “just work”.
There are many steps involved in generating and installing a certificate, but our IWCertificateManager tool makes the whole process much easier and intuitive.
Enjoy!