SSL - arunkumarrawat/Wexflow GitHub Wiki

HTTPS/SSL support is available in Wexflow starting from version 9.2. You can enable it for both .NET 4.8 and .NET 9.0+ versions.

Table Of Contents

  1. Installation Options
    1. .NET 4.8
    2. .NET 9.0+
  2. Development Certificates (Self-Signed)
  3. Admin Panel
  4. .NET 9.0+
    1. Prerequisites
    2. Windows
    3. Linux
    4. macOS
    5. Notes
    6. Wexflow Server (Windows)
    7. Wexflow Server (Linux)
    8. Wexflow Server (macOS)
  5. .NET 4.8
    1. Enable HTTPS for Wexflow Windows Service
    2. Install the certificate
    3. Get private key path
    4. Grant permissions to Network Service and SYSTEM
    5. Bind the certificate to port 8000

Installation Options

You can find detailed installation instructions here.

.NET 4.8

You can install Wexflow as a Windows Service (targeting .NET Framework 4.8) using one of the following installers:

  • wexflow-x.x-windows-x64.exe (64-bit)
  • wexflow-x.x-windows-x86.exe (32-bit)

.NET 9.0+

You can install Wexflow as a cross-platform app/service (targeting .NET 9.0+) on Windows, Linux, or macOS using one of the following packages:

  • wexflow-x.x-windows-netcore.zip
  • wexflow-x.x-linux-netcore.zip
  • wexflow-x.x-macos-netcore.zip

Note:
Many of the operations in this guide — including installing services, managing certificates, and configuring firewalls or port bindings — require Administrator (Windows) or root (Linux/macOS) privileges.
Be sure to run your terminal or PowerShell with elevated permissions where applicable.

Development Certificates (Self-Signed)

To generate a self-signed certificate for development:

  • On Windows, use the ssl.ps1 script
  • On Linux, use the ssl.sh script

You can test with the following endpoint: https://localhost:8000/api/v1/hello

Admin Panel

No configuration is required to use the admin panel.

If you plan to host the admin panel on a different web server and use HTTPS for the Wexflow server, make sure the web server hosting the admin panel also uses HTTPS. This is necessary to avoid mixed content issues in modern browsers.

By default, the admin panel is available at: https://localhost:8000/

.NET 9.0+

Prerequisites

Generate .pfx certificate file.

Windows

  1. Install Win64 OpenSSL
  2. Add C:\Program Files\OpenSSL-Win64\bin to your PATH environment variable
  3. Open a PowerShell and run the following command to export your certificate to PFX:
$KEY = "C:\Wexflow-netcore\wexflow.key"
$CRT = "C:\Wexflow-netcore\wexflow.crt"
$PFX = "C:\Wexflow-netcore\wexflow.pfx"
$PASSWORD = "wexflow2018"
openssl pkcs12 -export -out $PFX -inkey $KEY -in $CRT -password pass:$PASSWORD

Linux

KEY="/opt/wexflow/Wexflow/wexflow.key"
CRT="/opt/wexflow/Wexflow/wexflow.crt"
PFX="/opt/wexflow/Wexflow/wexflow.pfx"
PASSWORD="wexflow2018"
openssl pkcs12 -export -out "$PFX" -inkey "$KEY" -in "$CRT" -password pass:"$PASSWORD"

macOS

KEY="/Applications/wexflow/Wexflow/wexflow.key"
CRT="/Applications/wexflow/Wexflow/wexflow.crt"
PFX="/Applications/wexflow/Wexflow/wexflow.pfx"
PASSWORD="wexflow2018"
openssl pkcs12 -export -out "$PFX" -inkey "$KEY" -in "$CRT" -password pass:"$PASSWORD"

Notes

  • Self-signed certificate warning:
    If you're using a self-signed certificate, browsers will show a security warning unless the certificate is explicitly trusted on your system.

Wexflow Server (Windows)

Edit .\Wexflow.Server\appsettings.json:

{
  "HTTPS": true,
  "PfxFile": "C:\\Wexflow-netcore\\wexflow.pfx",
  "PfxPassword": "wexflow2018"
}

Then restart the server.

Wexflow Server (Linux)

Place your PXF in /opt/wexflow/Wexflow/wexflow.pfx.

Edit /opt/Wexflow/Wexflow.Server/appsettings.json:

{
  "HTTPS": true,
  "PfxFile": "/opt/wexflow/Wexflow/wexflow.pfx",
  "PfxPassword": "wexflow2018"
}

Open Terminal and run the following command to restart wexflow service:

sudo systemctl restart wexflow

Wexflow Server (macOS)

Place your PFX in /Applications/wexflow/Wexflow/wexflow.pfx.

Edit /Applications/Wexflow/Wexflow.Server/appsettings.json:

{
  "HTTPS": true,
  "PfxFile": "/Applications/wexflow/Wexflow/wexflow.pfx",
  "PfxPassword": "wexflow2018"
}

Open Terminal and run:

cd /Applications/wexflow/Wexflow.Server
dotnet Wexflow.Server.dll

.NET 4.8

Enable HTTPS for Wexflow Windows Service

  1. Set HTTPS option to true in C:\Program Files\Wexflow\Wexflow.Server.exe.config

  2. Restart Wexflow Windows Service

Install the certificate

  • Open the MMC console (Win + R, then type mmc)
  • Install wexflow.crt in Trusted Root Certification Authorities (Local Computer)
  • Install wexflow.pfx in Personal store (Local Computer)
  • Locate your SSL certificate, double-click it
  • Go to the Details tab, find Thumbprint
  • Copy the thumbprint and remove all spaces

Get private key path

$thumb = "81d53a62964240b8d2cc77b40bf7e6c758554afc"
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq $thumb }
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\$keyName"
$keyPath

Example output:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\088395182206fa2acc494753b3099972_4ced353e-566d-4394-821c-bc9f487c4b5b

Grant permissions to Network Service and SYSTEM

icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\088395182206fa2acc494753b3099972_4ced353e-566d-4394-821c-bc9f487c4b5b" /grant *S-1-5-20:R
icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\088395182206fa2acc494753b3099972_4ced353e-566d-4394-821c-bc9f487c4b5b" /grant *S-1-5-18:R

Bind the certificate to port 8000

  • Generate a new GUID for appid in PowerShell:
New-Guid
  • Run the following command (replace the certhash and appid with your values):
netsh http add sslcert ipport=0.0.0.0:8000 certhash=81d53a62964240b8d2cc77b40bf7e6c758554afc appid="{05e46c28-0ed2-4ac0-9473-e78190a425d4}"
  • Verify the binding:
netsh http show sslcert ipport=0.0.0.0:8000