SSL setup for Windows

I see a few posts about SSL but not too much that’s recent. With the new browsers like FireFox showing messages when connecting to sites that are not running SSL, it seems like now is the time to get my site using SSL.

I am running one site, on Windows 2012 R2 on a dedicated server with I am using a stand alone Xojo Web App.

Is there a definitive guide or someplace where I can get very clear steps on how to set it up the SSL and App on my server? I don’t even know for example if IIS needs to have the cert installed, but I assume it does. Obviously if the user goes to http without the https I would want it to switch to the https site. I have seen this behavior on all the other sites so I assume it’s normal but thought I’d mention it.

Any help would be appreciated and I’m sure others would appreciate it also in the future as this becomes much more important.

If no one has a good step by step on how to do this, maybe Paul would be interested in doing a webinar on it???


I think there is some info on how to run SSL with a stand alone app in the forums or docs. I know I tested it at one point. I’m too lazy to look it up. I run my stand alone web apps through haproxy on linux or mac, so I use that to handle SSL.

I’m not sure what you are using IIS for since you say you’re running the app stand alone, but if you are using it to proxy to the web app locally, then you would install your SSL cert in IIS. In that case I would just google or search the IIS docs for how to properly point IIS to a cert.

Right now I am using IIS to point to

I am pretty sure I can get the cert setup on IIS.

The main question is really how to get xojo stand alone to work, but I can go back to some of the older posts and see if I can figure it out.

Had an extra minute or two. I think the blog post and that forum thread are what I used to get my test working a couple of years ago. HTH.

Thanks, I’ll take a look and give it a shot

One big point: do not use other ports than standard port 80 and 443. Your website might be blocked away. And when finished with configuration do not forget to check your site with Mozilla Observatory and

Wouldn’t that mean that I could only run one website on my server?
The port 9000 should be transparent to the user I think, but it’s not my expertise so others can chime in.

Let me get SSL working and I’ll check those out since most of the errors I’m seeing on Mozilla is because it’s not ssl

If you are using IIS URL rewrite then you are using IIS to proxy your web application. Get the certificate for the IIS website and bind port 443 to that site.

Wayne, if i do that do i still need to use command line options on the xojo app for secure socket, etc?

No. IIS will secure the connection back to the browser, the Web App will listen on its own port. So you’re offloading the SSL work to IIS and leaving your app to do its thing.

Thanks, I’ll give it a shot in the next few days and report back here how it works.

I started using IIS because of the wanting to get rid of the port number so the user doesn’t see it.


Wayne and others,
The SSL is installed, and things are sort of working but not really.
If anyone is willing to help me, I would appreciate it. I don’t want to post the url here as it then becomes available to the world, but if you are able and willing to help me, please IM me here and I’ll go over what’s working and what’s not.


If you don’t need IIS for proxy then you can run on port 443 directly. Should make things simpler.

Here is what I would like to have happen. Seems like a lot of normal websites work this way, so this is what I’m hoping that I can do.

If the user types I want it to go to ( or whatever so my app running on port 9000 can run)
If the user types I want it to go to ( or whatever so my app running on port 9000 can run)

I would like to have the site show the pad lock so everything is indeed encrypted

In addition I guess should also go to

Is this all possible? If so, can someone explain what the best way to do it is, from an IIS standpoint and from the stand alone xojo app as far as if any command line options are needed?

For using the standalone app, you can just use MyWebApp --port=80 --secureport=443. Then put the MyWebApp.crt file in the same directory as the app.

For redirect you could do something like this in the event.

if not then ShowURL "" end if

Forgot to add that in order for that to work, those ports have to be free. So IIS would need to be shut down, and anything else that might happen to be using the default web ports of 80 and 443. HTH

Kevin, By using port 80 does that mean I could only use one site on my server? It’s a dedicated server and really will need to have many sites including php sites on it.

@Oliver Osswald made a good PDF how to implement Xojo Web behind an IIS, as far as I know he did this with URL Rewriter and Reverse Proxy Rules:

Here’s my copy of his PDF, maybe he’s reading this and can add everything which is new:

@Tomas, I have gotten the actual site to work on IIS using Reverse Proxy, so actually goes to but now I’m wanting to now use SSL and I don’t think Olivers PDF addresses that.

@Wayne, do you think if I continued to use my reverse proxy so that goes to and then tried running the app with secure port 443 would work?? I apologize for asking all these questions but I’m sure there is a perfect way to do this so if I ever need this again, it will be a piece of cake, but it’s just not something I’m very familiar with.