Secure Webserver on IIS

Manfred_Richter · August 7, 2017, 6:20pm

Hello,

in the last weeks I had some trouble to install a secured web server on our in-house server. This server is a Microsoft IIS. The certificate was created with the IIS, but was not in the format for Xojo. I got a certificate from the administrator, but this was not compatible with Xojo.

Today I got the correct file, but I had to convert it. For those, who wants to use Xojo on an in-house system, I 'll describe the necessary steps here.

First, you need an *.pfx file from the IIS. This file is password protected.

Then extract the private key from it. I used as new password the same as from the pfx file. This makes it easier
openssl pkcs12 -in <server.pfx> -nocerts -out <server-encrypted.key>

Then extract the private key from it
openssl pkcs12 -in <server.pfx> -clcerts -nokeys -out <server.crt>

Now we remove the password from the private key
openssl rsa -in <server-encrypted.key> -out <server-decrypted.key>

The last step is to create the crt file for Xojo. This is a text file with the name of your app and the extension crt. Copy the data from <server.crt> and < server-decrypted.key> into this file. The necessary part are within

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

and

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

All other informations are not necessary.

I hope this helps…

Phillip_Zedalis · August 7, 2017, 9:03pm

Are you running the Xojo app as a standalone and IIS reverse proxies? Or are you running it in CGI mode?

Either way the SSL configuration would be done at the IIS level and not be related to Xojo at all. So you should install your SSL certificate into IIS for the domain that serves the Xojo Web traffic.

Manfred_Richter · August 7, 2017, 9:04pm

Our experts tried to install it as a CGI Script. but that didn’t work. So we use it standalone.

Phillip_Zedalis · August 8, 2017, 3:24am

So do you access the standalone on its own port? http://127.0.0.1:9000

OR do you access it via a domain name on port 80? http://app.company

The former you have to pass the cert path and details to the Xojo standalone app via command line arguments.

The latter you have to install the SSL certificate for the domain name in IIS itself and it will handle the rest when reverse proxying.

Manfred_Richter · August 8, 2017, 6:32pm

Hello,

the problem was not the server. This worked fine before. Art our company the only problem was, that nobody knowed how to create the certificate in the format for Xojo. And after I found the way to convert it, I wanted to describe it here for other users. My hope is that other users in a Microsoft environment can convert the certificate more quick.