How To Guides
      Back to home
      1. Knowledge Base
      2. TruFleet
      3. How To Guides

      Teldio TruFleet | HTTPS Connection

      Enable HTTPS for TruFleet: A Step-by-Step SSL/TLS Configuration Guide

      HTTPS Certificates

      To serve TruFleet over HTTPS, you must obtain and install an SSL/TLS certificate on the WCP Server. This guide covers three methods:

      • Let’s Encrypt: free, automated certificates trusted by browsers for internet-facing, FQDN-based deployments.
      • PowerShell-generated self-signed certificates: quick to create for local or development environments; require manual trust configuration.
      • Third-party CA certificates: obtain a production-grade certificate from ZeroSSL or your internal enterprise CA for extended validation or corporate compliance.

      Follow the step-by-step instructions in the sections below to generate, install, and bind your chosen certificate. Once configured, all TruFleet traffic will be encrypted.

      Enabling HTTPS via the WCP Configurator

      1. Open the WCP Configurator on your server.
      2. Navigate to the Web Clients tab.
      3. Check Enable HTTPS.
      4. Select your HTTPS port (443 is the default).
      5. Optionally check Enforce HTTPS Redirect to force all requests over HTTPS.
      6. Click File → Save to apply settings for the WCP Server.
      7. Restart the WCP Server service to activate HTTPS.
      8. The WCP configurator should look similar to the image below:

      Let’s Encrypt Certificate Authority

      Let’s Encrypt is a free, automated and open certificate authority (CA). The WCP Server will handle the domain validation required by Let’s Encrypt in order to obtain certificates signed by a trusted CA.

      Requirements for Using Let’s Encrypt

      To successfully use Let’s Encrypt with your WCP Server:

      • You must have a fully qualified domain name (FQDN) — e.g., customername.teldio.com.
      •  This FQDN must be publicly accessible, with TCP ports 80 (HTTP) and 443 (HTTPS) open and forwarded to the server hosting the WCP instance.
      • Let’s Encrypt does not support custom or non-standard ports — only ports 80 and 443 are accepted.
      • TruFleet should be accessed using the public domain name — accessing via IP may trigger certificate warnings in the browser.

      Mapping Domain to Localhost for Testing and Validation

      Ensure that domain-based certificates resolve correctly during validation or local testing.

      For Local Testing or Development Environments:

        • Modify C:\Windows\System32\drivers\etc\hosts with administrator privileges.
        • Add an entry like:

               127.0.0.1 customername.teldio.com

      • This enables browsers and the WCP server to resolve the domain to the local instance during setup or testing.

      Note on Production Environments

      • Host address updates should be made through public DNS A record configuration—not the hosts file.
      • The domain name must point to the external/public IP of the WCP server.

      Hosting Prerequisites (Customer or Dealer Managed)

      These steps must be completed by whoever is hosting the WCP Server — whether it's the customer organization or their radio dealer.

      • Create a DNS A record in your domain provider (e.g., Hover, GoDaddy) that maps your fully qualified domain name (e.g., customername.teldio.com) to the public IP address of the server hosting WCP.
      • Ensure TCP ports 80 and 443 are open and forwarded to that server. These ports are required for HTTP validation and HTTPS communication.
      • The hosting party should also make sure TruFleet is accessible via the public domain name to avoid browser certificate warnings.

      WCP Configurator Settings

      Inside the WCP server interface:

      • Use Let’s Encrypt for Certificates: Enable this checkbox.
      • Domain for Certificate: Enter the exact FQDN (e.g., customername.teldio.com) that was registered as the A record.
      • Email for Notifications: Enter a monitored address for renewal alerts. WCP will try to renew automatically 30 days before expiration.
      • Go to File/ Save for WCP Server to write the configuration to the server.
      • Select restart server to apply changes.

      What Happens Behind the Scenes

      The following steps occur during a certificate request:

      1. The WCP Server sends a domain validation request to Let’s Encrypt.
      2. Let’s Encrypt performs an HTTP-01 challenge, sending a request to your domain on port 80.
      3. WCP serves the challenge response directly, proving domain control.
      4. Let’s Encrypt issues the HTTPS certificate, which WCP stores and applies.

      Certificates are valid for 90 days and renew automatically if all conditions are met.

      Verifying It Works

      • Open a browser and navigate to configured domain (e.g. https://customername.teldio.com).
      • Click the 🔒 lock icon to view certificate details — it should indicate Let’s Encrypt as the issuer.

      If not working, check:

      • Firewall rules for ports 80/443
      • Domain-to-IP mapping (A record)
      • Logs in: 
        C:\Program Files (x86)\Tallysman\WCP Server\Logs\Web

      Generating Self-Signed Certificates for TruFleet on Windows

      To enable secure HTTPS access to TruFleet, a self-signed certificate must be generated and properly configured. This process involves three core steps:

      • Creating the self-signed certificate
      • Installing it into the Windows certificate store
      • Binding it to the HTTPS endpoint associated with your TruFleet domain or IP

      This section outlines how to complete these steps efficiently using PowerShell.

      Windows Script for TruFleet HTTPS Setup

      1. Download our PowerShell script for generating a self-signed certificate in Windows here: PowerShell Script
        1. Open the script using a text editor (Notepad++ works well).
      2. Modify the user variables for your system:
          1.  $dnsNames variable should be a list of all address names that may be used to access TruFleet. If you have multiple, please separate them by comma as shown in the example screenshot above.
          2. $httpsPort this variable is preconfigured to 443
          3. $expires  this variable is preconfigured, no changes needed.
          4. For each remaining field, remove the angle brackets and input your information between the quotation marks.
      3. Save the file to an easy-to-find location on your computer, rename it if needed, and make sure it retains the .ps1 extension so it remains a PowerShell script.
      4. Run the script in PowerShell as Administrator
        2. If you know the path to the script file you created, use the following
          • & "C:\Path\To\YourScript.ps1"
        3. Or, if you're already in the correct directory:
          • .\YourScript.ps1
      5. After running the script successfully, your output should resemble the screenshot below.

      PowerShell Script Results

      Most browsers warn users when accessing a site with a self-signed certificate. This script automatically installs the certificate into the Trusted Root Certification Authorities store to help prevent that. However, some browsers (like Firefox) use their own trust store and may still require manual import. A browser restart may also be needed for the changes to take effect.

      Generating Certificates from Third Party's (ZeroSSL & Others)

      If your security policy prevents use of Let’s Encrypt or you require Extended Validation, you can obtain certificates from ZeroSSL or your company’s internal Certificate Authority (CA). Follow your chosen provider’s process to download a certificate (.crt) and private key (.key).

      For detailed, step-by-step instructions on generating certificates using ZeroSSL, see our SSL Certificate Guide: TEG SSL Certificate Guide

      Once you have the .crt and .key files, proceed to the import and binding steps below.

      1. Convert to PFX Format

      Both the certificate and key must be bundled into a .pfx file for Windows:

      1. Install OpenSSL or use a machine that has it.
      2. Place your .crt and .key files in the same folder.
      3. Run this command in that folder: 
        openssl pkcs12 -export -out YourCertName.pfx -inkey yourkey.key -in yourcert.crt
      4. When prompted, enter and confirm a strong password. Remember it—you’ll need it during import.

      If you can’t run OpenSSL, email both files to support@teldio.com and we’ll convert them for you.

      2. Import the PFX into Windows

      1. Open Manage Computer Certificates (type it in Start → Enter).
      2. Expand Personal, right-click → All TasksImport.
      3. Browse to your YourCertName.pfx file (select All Files if needed) → Next.
      4. Enter the PFX password you set earlier → Next.
      5. Check Mark this key as exportableNext.
      6. Ensure Place all certificates in the following store is set to PersonalNextFinish.

      3. Bind the Certificate to HTTPS

      1. Open an elevated Command Prompt (Run as administrator).
      2. Get the certificate thumbprint:
        • In Manage Computer Certificates, open your cert under Personal → Certificates.
        • Under the Details tab, copy the Thumbprint (remove spaces).
      3. Run: 
        netsh http add sslcert ipport=0.0.0.0:443 certhash=THUMBPRINT appid='{06aabebd-3a91-4b80-8a15-adfd3c8a0b15}'
        Replace 443 with your HTTPS port if it differs, and THUMBPRINT with the value you copied.

      4. What’s Next

      • Test your site at https://yourdomain:port to confirm the cert is served.
      • If you see warnings, verify the PFX import and binding steps.
      • For any issues converting or importing certificates, reach out to support@teldio.com.