Skip to main content

Offline / Network only Mode

Intro:
In some cases, you don't want your system accessible on the internet. Or you want your system to be able to work when it is not online. In this case, you will need to set up the IIS instance with an API Assigned SSL that is self-signed, and then import that certificate to each device that uses the app.

To connect to an IIS (Internet Information Services) Web API over a local network using HTTPS (SSL/TLS), like **https://192.168.0.12:4443/**, you'll need to ensure a few things are set up correctly. Here’s a step-by-step guide:

  1. Create a Self-Signed Certificate: Since you're working in a local environment without internet access, you won't be able to use a certificate from a public certificate authority (CA). Instead, you can create a self-signed certificate. You can do this using PowerShell on the server where IIS is installed.Open PowerShell as an administrator and use the following command to create a self-signed certificate:powershellCopy code$cert = New-SelfSignedCertificate -DnsName "192.168.0.12" -CertStoreLocation cert:\LocalMachine\My This command creates a self-signed certificate with the DNS name set to the IP address you want to use (192.168.0.12). The certificate is stored in the local machine's personal store.

  2. **Bind the Certificate to Your IIS Website:**Open the IIS Manager.
    Select your website from the left panel.
    In the right panel, select "Bindings..."

    Add a new binding or edit an existing one:Type: **https **IP address: Select the IP address you want to use or leave it as "All Unassigned."
    Port: **4443 **SSL certificate: Select the self-signed certificate you created earlier.
    Confirm by clicking "OK."

  3. **Trust the Self-Signed Certificate on the Client Machines:**Since you're using a self-signed certificate, client machines in your local network won't trust it by default. You need to export the certificate from the server and import it into the trusted root certification authorities on each client machine.
    **Export the Certificate:**In the IIS server, open "Manage computer certificates" (you can search for it in the start menu). Go to Personal -> Certificates, find your certificate, right-click on it, select "All Tasks," and then "Export...". Follow the wizard and make sure to export the public key (.cer file).
    **Import the Certificate on Client Machines:**On each client machine, double-click the exported certificate file. Choose to "Install Certificate," place it in the "Trusted Root Certification Authorities" store.

  4. **Adjust Firewall Settings:**Ensure that the firewall on the IIS server allows incoming connections on the port you chose (in this case, 4443). You can add a rule in Windows Firewall for this:powershellCopy codeNew-NetFirewallRule -DisplayName "Allow HTTPS 4443" -Direction Inbound -Protocol TCP -LocalPort 4443 -Action Allow

  5. **Access the Web API:**Now, from the client machines in your local network, you should be able to access the Web API using the URL https://192.168.0.12:4443/.

Remember, using a self-signed certificate is generally recommended only for testing or internal use due to the lack of third-party validation. For production environments, especially those exposed to the internet, always use certificates from trusted CAs.

When connecting multiple devices on the same network to your IIS Web API using HTTPS and a self-signed certificate, you'll need to ensure that all these devices trust the self-signed certificate you've created. Here’s how you can achieve this:

  1. **Create and Bind the Self-Signed Certificate:**Follow the steps from the previous message to create a self-signed certificate on your IIS server and bind it to your website using the appropriate IP and port (e.g., https://192.168.0.12:4443/).

  2. **Export the Self-Signed Certificate:**After creating the self-signed certificate, export it from the server. You only need the public key part of the certificate for the clients to trust it.
    To export, go to "Manage computer certificates" on the server, navigate to Personal -> Certificates, find your certificate, right-click on it, select "All Tasks," and then "Export...". Choose to export the public key only (typically as a .cer file).

  3. **Import and Trust the Certificate on All Client Devices:
    Windows Clients:**Transfer the exported .cer file to the client machine.
    Double-click the .cer file and choose the "Install Certificate" option.
    Install it in the "Trusted Root Certification Authorities" store to ensure the system trusts the certificate.

    **macOS Clients:**Transfer the .cer file to the Mac.
    Double-click the .cer file to open it in Keychain Access.
    Add it to the "System" keychain.
    After it's added, find the certificate in Keychain Access, double-click it, and set "Trust" to "Always Trust" under "When using this certificate."

    **Linux Clients:**Copy the .cer file to the Linux device.
    Depending on the distribution, you can use the update-ca-certificates utility. Place the .cer file in /usr/local/share/ca-certificates/ and then run sudo update-ca-certificates.

    **Android Clients:**Android requires a bit more work because you need to use the certificate as part of a VPN or install it manually for WiFi networks.
    To install it manually, transfer the .cer file to the device, go to "Settings" -> "Security" -> "Install from SD card" (or similar, depending on your version of Android), and select the certificate file.

    **iOS Clients:**Send the .cer file via email or download it from a web link onto the iOS device.
    Tap the certificate file in the email or web link, and you will be prompted to install it.
    Follow the installation prompts, and then go to "Settings" -> "General" -> "About" -> "Certificate Trust Settings" and enable full trust for the certificate.

  4. **Adjust Firewall Settings:**Ensure the firewall on the IIS server allows incoming connections on your chosen port (4443 in this case). You might have already configured this.

  5. **Verify the Connection:**After these steps, each device on your local network should be able to access the Web API using https://192.168.0.12:4443/ without SSL warnings, assuming the certificate is trusted and installed correctly.

This approach ensures all devices within the local network can securely connect to your IIS Web API using HTTPS, even when the internet is unavailable.