TLS Certificate Configuration Overview

Overview

All network components in vbmanlib (cHttpServer, cWinsock, cWebSocketServer/Client) share a unified TLS certificate configuration interface through chained function style calls, supporting three certificate sources:

Certificate Mode	Chained Function	Use Case	Details
Certificate File	TlsCertFile()	Most common, production deployment, PFX/PEM files	Certificate File Mode
Windows Certificate Store	TlsCertSubject()	Enterprise environments, IIS shared certificates, AD certificates	Windows Certificate Store Mode
Memory Certificate Collection	TlsCertMemory()	Dynamic generation, ACME issuance, embedded certificates	Memory Certificate Collection Mode

Quick Selection Guide

Which certificate mode should I use?
│
├─ Have .pfx / .p12 / .pem files?
│   └─ ✅ TlsCertFile (Simplest, recommended)
│
├─ Certificate already installed in Windows (shared with IIS)?
│   └─ ✅ TlsCertSubject
│
├─ Need to dynamically generate/load certificates at runtime?
│   └─ ✅ TlsCertMemory
│
└─ Only need to connect to TLS server (client role)?
    └─ ✅ cWinsock.Tls() (No local certificate needed)

Universal Chained Function Signatures

TLS chained function names and parameters are identical across all components, only return types differ:

PEM Certificates (Let's Encrypt)

' ─── cHttpServer ───
Server.TlsCertFile("C:\certs\fullchain.pem|C:\certs\privkey.pem").WebRoot("C:\www").Start 443

' ─── cWinsock (Server) ───
svr.TlsCertFile("C:\certs\fullchain.pem|C:\certs\privkey.pem").Listen 443

' ─── cWebSocketServer ───
wsSvr.TlsCertFile("C:\certs\fullchain.pem|C:\certs\privkey.pem").Listen 443

PFX with Password

' ─── cHttpServer ───
Server.TlsCertFile("C:\certs\server.pfx", "my-password").WebRoot("C:\www").Start 443

' ─── cWinsock (Server) ───
svr.TlsCertFile("C:\certs\server.pfx", "my-password").Listen 443

' ─── cWebSocketServer ───
wsSvr.TlsCertFile("C:\certs\server.pfx", "my-password").Listen 443

Windows Certificate Store

' ─── cHttpServer ───
Server.TlsCertSubject("www.example.com").Start 443

' ─── cWinsock (Server) ───
svr.TlsCertSubject("www.example.com").Listen 443

' ─── cWebSocketServer ───
wsSvr.TlsCertSubject("www.example.com").Listen 443

Client Mode (No Local Certificate Needed)

' ─── cWinsock (Client) ───
cli.Tls.Connect "example.com", 443

' ─── cWebSocketClient (wss:// auto-enables TLS) ───
wsCli.Connect "wss://example.com/ws"

HTTP + HTTPS Dual Port

Dim httpSvr As New cHttpServer
httpSvr.WebRoot("C:\www").Start 80

Dim httpsSvr As New cHttpServer
httpsSvr.TlsCertFile("C:\certs\server.pfx", "pwd").WebRoot("C:\www").Start 443

Pure HTTP (Without Any Tls Function)

Server.WebRoot("C:\www").Start 80

ALPN Protocols

Component	Default AlpnProtocols	Description
cHttpServer	"http/1.1"	Set to "h2,http/1.1" for HTTP/2
cWinsock	"http/1.1"	Can be customized based on application protocol
cWebSocketServer	"" (Empty)	WebSocket has its own upgrade mechanism, usually no ALPN needed

Underlying Implementation

All components ultimately implement TLS through cTlsSocket (based on OpenSSL):

cHttpServer ───→ cTlsReMaster ───→ cTlsSocket ───→ OpenSSL
cWinsock    ─────────────────→ cTlsSocket ───→ OpenSSL
cWebSocket  ───→ cWinsock    ───→ cTlsSocket ───→ OpenSSL

InitServerTls detects certificate sources in the following priority:

1. Memory collection (Certificates + PrivateKey)
2. Certificate file (CertFile)
3. Windows Certificate Store (CertSubject)

Supported TLS Versions

• TLS 1.2
• TLS 1.3

Certificate Format Reference

Format	Extension	Characteristics	Password Protection
PKCS#12	.pfx .p12	Binary, contains certificate chain + private key	Supported
PEM	.pem .crt .key	Base64 text, human-readable	Private key can be encrypted
DER	.der .cer	Binary, single certificate	Not applicable

Component TLS Documentation

Component	Documentation
cHttpServer	TLS/HTTPS Support
cWinsock	TLS/SSL Support
cWebSocket	TLS (wss://) Support

---

Last Updated: 2026-06-09