Teldio TruFleet | HTTPS Connection

This document provides instructions on how to configure an HTTPS connection for TruFleet.

HTTPS Certificates

To serve TruFleet over HTTPS, you must obtain and install an SSL/TLS certificate on the WCP Server. This guide walks through three options—Let’s Encrypt, a PowerShell-generated self-signed cert, and a CA-signed cert (ZeroSSL or your internal CA)—with step-by-step instructions in later sections. Let’s Encrypt and ZeroSSL produce trusted certificates for internet-facing, FQDN-based deployments, while self-signed certs are only valid on local networks and require manual trust configuration. Once your chosen certificate is installed and bound to your HTTPS port, all TruFleet traffic will be encrypted.


Enabling HTTPS via the WCP Configurator

  1. Open the WCP Configurator on your server.
  2. Navigate to the Web Clients tab.
  3. Check Enable HTTPS.
  4. Select your HTTPS port (443 is the default).
  5. Optionally check Enforce HTTPS Redirect to force all requests over HTTPS.
  6. Click File → Save to apply settings for the WCP Server.
  7. Restart the WCP Server service to activate HTTPS.
  8. The WCP configurator should look similar to the image below:

Let’s Encrypt Certificate Authority

Let’s Encrypt is a free, automated and open certificate authority (CA). The WCP Server will handle the domain validation required by Let’s Encrypt in order to obtain certificates signed by a trusted CA.

Requirements for using Let’s Encrypt

  • It is required that you have a fully qualified domain name (FQDN)—for example, something.mydomain.com.
  • Port 80 and 443 on the public domain name must be used for the HTTP and HTTPS ports on the WCP Server. Let’s Encrypt will not accept non-standard ports.
  • TruFleet should be accessed using the public domain name. Otherwise the browser will display certificate errors.

WCP Configurator Settings

  • Use Let’s Encrypt for Certificates: Enable to use Let’s Encrypt.
  • Domain for Certificate: The domain that Let’s Encrypt will validate (e.g.
    something.mydomain.com). Let’s Encrypt will send challenges to port 80 on the domain which the WCP Server must receive.
  • Email for Notifications: An email that will receive notices when the certificate is up for renewal. Emails will be sent 20 days, 10 days and 1 day before expiry. The WCP Server will automatically renew 30 days before expiry, so emails should only be sent if there is a problem.

The WCP Server will automatically handle the certificate requests and renewals. Once a certificate is successfully generated, it is good for 90 days. The certificate will be renewed 30 days before expiration.

The following are the general steps taken during a certificate request (for more information please see https://letsencrypt.org/how-it-works/):

  1. The WCP Server sends a request to Let’s Encrypt to prove it controls a domain name.
  2. Let’s Encrypt sends challenges to the domain name on port 80, which the WCP Server handles.
  3. The WCP Server asks Let’s Encrypt to generate a certificate for the domain name.

Verifying that it worked

If the certificate request was successful, then you will see an indication showing a secure connection. Clicking on the “lock” icon should show more information about the certificate.

If it was not successful, please check the logs in the folder: C:\Program Files (x86)\Tallysman\WCP Server\Logs\Web.

Generating Self-Signed Certificates for TruFleet on Windows

To enable secure HTTPS access to TruFleet, a self-signed certificate must be generated and properly configured. This process involves three core steps:

  • Creating the self-signed certificate
  • Installing it into the Windows certificate store
  • Binding it to the HTTPS endpoint associated with your TruFleet domain or IP

This section outlines how to complete these steps efficiently using PowerShell.

Windows Script for TruFleet HTTPS Setup

  1. Download our PowerShell script for generating a self-signed certificate in Windows here: PowerShell Script
    1. Open the script using a text editor (Notepad++ works well).
  2. Modify the user variables for your system:
      1.  $dnsNames variable should be a list of all address names that may be used to access TruFleet. If you have multiple, please separate them by comma as shown in the example screenshot above.
      2. $httpsPort this variable is preconfigured to 443
      3. $expires  this variable is preconfigured, no changes needed.
      4. For each remaining field, remove the angle brackets and input your information between the quotation marks.
  3. Save the file to an easy-to-find location on your computer, rename it if needed, and make sure it retains the .ps1 extension so it remains a PowerShell script.
  4. Run the script in PowerShell as Administrator
    1. If you know the path to the script file you created, use the following
      • & "C:\Path\To\YourScript.ps1"
    2. Or, if you're already in the correct directory:
      • .\YourScript.ps1
  5. After running the script successfully, your output should resemble the screenshot below.

PowerShell Script Results

Most browsers warn users when accessing a site with a self-signed certificate. This script automatically installs the certificate into the Trusted Root Certification Authorities store to help prevent that. However, some browsers (like Firefox) use their own trust store and may still require manual import. A browser restart may also be needed for the changes to take effect.

Generating Certificates from ZeroSSL or Other CAs

If your security policy prevents use of Let’s Encrypt or you require Extended Validation, you can obtain certificates from ZeroSSL or your company’s internal Certificate Authority (CA). Follow your chosen provider’s process to download a certificate (.crt) and private key (.key).

For detailed, step-by-step instructions on generating certificates using ZeroSSL, see our SSL Certificate Guide: TEG SSL Certificate Guide

Once you have the .crt and .key files, proceed to the import and binding steps below.

1. Convert to PFX Format

Both the certificate and key must be bundled into a .pfx file for Windows:

  1. Install OpenSSL or use a machine that has it.
  2. Place your .crt and .key files in the same folder.
  3. Run this command in that folder:
    openssl pkcs12 -export -out YourCertName.pfx -inkey yourkey.key -in yourcert.crt
  4. When prompted, enter and confirm a strong password. Remember it—you’ll need it during import.

If you can’t run OpenSSL, email both files to support@teldio.com and we’ll convert them for you.


2. Import the PFX into Windows

  1. Open Manage Computer Certificates (type it in Start → Enter).
  2. Expand Personal, right-click → All TasksImport.
  3. Browse to your YourCertName.pfx file (select All Files if needed) → Next.
  4. Enter the PFX password you set earlier → Next.
  5. Check Mark this key as exportableNext.
  6. Ensure Place all certificates in the following store is set to PersonalNextFinish.

3. Bind the Certificate to HTTPS

  1. Open an elevated Command Prompt (Run as administrator).
  2. Get the certificate thumbprint:
    • In Manage Computer Certificates, open your cert under Personal → Certificates.
    • Under the Details tab, copy the Thumbprint (remove spaces).
  3. Run:
    netsh http add sslcert ipport=0.0.0.0:443 certhash=THUMBPRINT appid='{06aabebd-3a91-4b80-8a15-adfd3c8a0b15}'
    Replace 443 with your HTTPS port if it differs, and THUMBPRINT with the value you copied.

4. What’s Next

  • Test your site at https://yourdomain:port to confirm the cert is served.
  • If you see warnings, verify the PFX import and binding steps.
  • For any issues converting or importing certificates, reach out to support@teldio.com.