Teldio TruFleet | HTTPS Connection

This document provides instructions on how to configure an HTTPS connection for TruFleet.

HTTPS Certificates

For TruFleet to be served over HTTPS, a certificate must be generated and installed on the Windows operating system. Guidelines are provided for how to accomplish this using either Let’s Encrypt as the certificate provider, or using self signed certificates. 

Let’s Encrypt Certificate Authority

Let’s Encrypt is a free, automated and open certificate authority (CA). The WCP Server will handle the domain validation required by Let’s Encrypt in order to obtain certificates signed by a trusted CA.


Requirements for using Let’s Encrypt

  • You must own a public domain name (e.g. something.mydomain.com).
  • Port 80 and 443 on the public domain name must be used for the HTTP and HTTPS ports on the WCP Server. Let’s Encrypt will not accept non-standard ports.
  • TruFleet should be accessed using the public domain name. Otherwise the browser will display certificate errors.

WCP Configurator Settings

  • Use Let’s Encrypt for Certificates: Enable to use Let’s Encrypt.
  • Domain for Certificate: The domain that Let’s Encrypt will validate (e.g.
    something.mydomain.com). Let’s Encrypt will send challenges to port 80 on the domain which the WCP Server must receive.
  • Email for Notifications: An email that will receive notices when the certificate is up for renewal. Emails will be sent 20 days, 10 days and 1 day before expiry. The WCP Server will automatically renew 30 days before expiry, so emails should only be sent if there is a problem.

The WCP Server will automatically handle the certificate requests and renewals. Once a certificate is successfully generated, it is good for 90 days. The certificate will be renewed 30 days before expiration.


The following are the general steps taken during a certificate request (for more information please see https://letsencrypt.org/how-it-works/):

  1. The WCP Server sends a request to Let’s Encrypt to prove it controls a domain name.
  2. Let’s Encrypt sends challenges to the domain name on port 80, which the WCP Server handles.
  3. The WCP Server asks Let’s Encrypt to generate a certificate for the domain name.

Verifying that it worked


If the certificate request was successful, then you will see an indication showing a secure connection. Clicking on the “lock” icon should show more information about the certificate.


If it was not successful, please check the logs in the folder: C:\Program Files (x86)\Tallysman\WCP Server\Logs\Web.

Self Signed Certificates 

A certificate can be generated in several ways. In general, these are the required steps:

  1. Generate a self-signed certificate.
  2. Place the certificate in the Windows certificate store.
  3. Register the certificate with the URL that will be used to serve HTTPS.
This section describes how to use a PowerShell script to complete all the above steps on a Windows 10 or Windows Server 2016 machine.
Download the PowerShell script here: PowerShell Script or copy/paste the following into a file and give it the PowerShell extension “.ps1”, 
# user variables $dnsNames = "myurl.org", "localhost" # the dns name(s) that will be used to access TruFleet $httpsPort = "443" # port for hosting HTTPS, must match WCP Configurator value $expires = (Get-Date).AddYears(20) # when the certificate should expire $companyName = "" # the name of your organization $countryCode = "US" # 2 digit country code (e.g. 'US', 'CA') $state = "" # state or province $city = "" # city # do not change variables $ErrorActionPreference = "Stop" $name = "WCP Server" $subject = "CN=$name,O=$companyName,L=$city,S=$state,C=$countryCode" $certstorelocation = "Cert:\LocalMachine\My" "[STEP 1] Create a self signed certificate and place in certificate store" $cert = New-SelfSignedCertificate -DnsName $dnsNames -CertStoreLocation $certstorelocation - NotAfter $expires -FriendlyName $name -Subject $subject -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") $cert "" "[STEP 2A] Deregistering any previous certificate" "(Ignore error ""cannot find file specified"")" $cmd = "netsh http delete sslcert ipport=0.0.0.0:$httpsPort" "Running command: $cmd" Invoke-Expression $cmd "[STEP 2B] Registering new certificate binding" $cmd = "netsh http add sslcert ipport=0.0.0.0:$httpsPort certhash=$($cert.Thumbprint) appid='{06aabebd-3a91-4b80-8a15-adfd3c8a0b15}'" "Running command: $cmd" Invoke-Expression $cmd

Modify the user variables for your system. The $dnsNames should be a list of all address names that may be used to access TruFleet. Run the PowerShell script with administrative privileges (search internet for help on PowerShell if needed).


Results similar to the screenshot below should be seen once successfully run.

PowerShell Script Results

Browsers will typically warn the user when attempting to view a website that is using a self-signed certificate. The user can avoid this warning by trusting the certificate – this will be done differently depending on the browser used. In general, the certificate can be downloaded from the browser and double clicked to start the install process. The default settings can be used, but the certificate must be placed in the “Trusted Root Certification Authorities” store when presented with that option. Some browsers must be restarted after the certificate has been installed in Windows.

ZeroSSL and Other Options

A certificate can be generated using other tools, such as OpenSSL or purchasing a certificate from a trusted authority like ZeroSSL. Please consult your IT team to check your company's certificate generation process. If you prefer to generate certificates using ZeroSSL, please access our SSL Certificate Guide and follow the process to generate the required certificates.

Once a certificate is obtained, and you have the certificate (.cert) and private key (.key) files, we will need to convert those files to the Personal Information Exchange (.pfx) format so that both files can be imported into the same certification within the Windows Certificate Manager. 

If you are able to use OpenSSL, use the following command to create the .pfx file using the certificate and private key files:

*Make sure that you are within the same directory as the files before running this OpenSSL command.

*If you are unable to use OpenSSL, please email your certificate and private key to support@teldio.com and we will assist with converting your certificate package to .pfx.

openssl pkcs12 -export -out <NameofCertificate>.pfx -inkey <privatekey>.key -in <certificate>.crt

 <NameofCertificate> = What you would like to name the certificate file.

<privatekey> = The name of the private key file from your certificate package.

<certificate> = The name of the certificate file from your certificate package.

Once this command is run, it will ask you to enter a password for your certificate.  It is important to remember this password because you will need it again when you are registering your certificate within Windows Certification Manager. Now you will have the <NameofCertificate>.pfx file created and will be able to import your certificate to Windows. 

Using the newly created .pfx file, complete steps #2 and #3 (from self-signed certificates process):

  •  Place the certificate in the Windows certificate store:
    • Go to “Manage Computer Certificates” from the administrative tools.
    • Right-click the “Personal” folder→All Tasks→Import.
    • Browse to and select the <NameofCertificate>.pfx file (May have to click the file type dropdown box and select "All Files"
    • Click Next
    • Enter the password you created when creating the .pfx file, (if file was created by Teldio, we will provide you with this password)
    • Under Import Options, tick the box for "Mark this key as exportable. This will allow you to back up or transport your keys at a later time."
    • Click Next
    • Select “Place all certificates in the following store” and under certificate store select "Personal"
    • Click Next
    • Click Finish.
  • Register the certificate with the URL that will be used to serve HTTPS:
    • Run a Command Prompt with administrative privileges.
    • Enter the command “ netsh http add sslcert ipport=0.0.0.0:<https_port> certhash=<thumbprint> appid='{06aabebd-3a91-4b80-8a15-adfd3c8a0b15}' ”.
      • Where <http_port> is 443 by default.
      • Where <thumbprint> can be found by double clicking the certificate in the certificate store and looking under the Details tab.