Please be advised that this guide is intended for use by an IT professional with experience in Internet security and networking. 

Getting Started

The ClockOn Webportal is a self contained Webservice that is installed on the ClockOn server. It is designed  to give employees a greater level of self service and being self contained it does not rely on IIS, Apache or other web hosting platforms to run.

The first step in the setup is to check to ensure that your ClockOn licence currently include the ClockOn Webportal. 

You can do this by clicking the blue ClockOn icon in the top left of ClockOn.

This will display your current ClockOn and Webportal licence details.

If your ClockOn Webportal has been enabled previously it can be accessed using the loop-back address on the ClockOn server, and from other machines within the site replacing "" with either the server's host name or IP address.

If you are not able to connect using the server's IP address or host name it is likely that their is a firewall blocking the port required for the Webportal. If you are still having issues please contact the ClockOn support team for further assistance.

In order to successfully setup the Webportal for external access and to enable SSL you will need the following

  1. A Static WAN IP address provided by your ISP.
  2. Access to and the ability to edit Port Forwarding settings at the head office site.
  3. A registered DNS address.
  4. A verified SSL certificate (either linked to the DNS record or a wildcard to cover the entire domain).

Enable for external access

In order for users to reliably connect to the Webportal when working away from the head office a Static IP address will be necessary, please check with your Internet service provider (ISP) to determine whether this has been allocated to your Internet account.

Once this has been done you will need to enable Port forwarding on the modem\router at your head office to direct the Webportal traffic through to your ClockOn server's IP address. By default the Webportal uses the port 8888 (4444 for SSL), however this can be adjusted as per your needs, if you need this to be changed please contact the ClockOn support team.

Once these steps have been done your should be able to connect to the Webportal on  http://{your WAN IP address}:8888

DNS setup

If you prefer to provide your users with a written address under your pre-existing domain name you can do this by adding a A record to point to the WAN IP address for the ClockOn server site. 

For instructions on how to do this please contact your DNS provider.

Please note that this step is required prior to the SSL certificate encryption setup.

SSL certificates

We strongly recommend the use of a SSL certificate to encrypt the traffic to the Webportal site and to do this you will need to purchase a SSL certificate for the domain that you intend to host the Webportal from.

If you do not already have a certificate, you can use either IIS or another an external tool such as OpenSSL or XCA (free alternative with minimal setup) to generate a CSR file.

In this guide we show steps on how to use both solutions.

The CSR file is used in the purchase process for the certificate and will need to be generated prior to this point.

Please be aware that when purchasing the certificate there are usually several different types on offer, you will need to assess the pros and cons of each as per the businesses requirements, for example you can choose to purchase a single or wildcard certificate. 

Single certificate option is cheaper but is bound to a single sub domain and any further sub domains will require an additional certificate. - certificate1 - certificate2 - certificate3

Wildcard certificates (while usually more expensive) encompass the entirety of the domain allowing it to be used for all sub domain records without the need for purchasing a new certificate. - certificate1 - certificate1 - certificate1

To generate your CSR  file and complete the request process through the XCA software follow the steps below.

  1. Download, install XCA then setup a new database on the local machine.

  2. Select the Private Keys  tab and press New Key.

  3. Name the key as per the domain that you intend on registering.
    Set the KeyType to RSA.
    Set the Keysize to 2048 bit
    Then click the create button

  4. If you wish to apply a password to the key Right Click on the generated key and select  Change Password, set the password and save.
    Please note that If you set a password this will be linked to the certificate so you must enter this with the software for the certificate to work.

  5. Select the Certificate signing request tab and click New Request.
  6. On the Source tab modify the following
     - Set the intended DNS name for the site into the unstructuredName field.
     - Ensure that the Signature algorithm is set to  SHA256

  7. Select the Subject tab and complete the following
    - Set the Internal name to the address the domain name that you intend to register.
    - Set the countryName to the code for the country Australia is "AU".
    - Set the stateOrProvinceName to the state abbreviation code, New South Wales is NSW.
    - Set the localityName to sites suburb.
    - Set the organisationName to the name of the business.
    - Set the organizationalUnitName to the department within the business that is making the request
    - Set the commonName to be the same as the Internal Name
    - Set the emailAddress to the administration email address for the business.

    Ensure that the Private Key is set to use the key that you generated previously.

    Press OK to completed the process

  8. Select the new certificate request entry and click Export 

  9. Ensure that the name is set to the domain name that you intend to register and set the Export Format to PEM (*.pem).
    Ensure that the actual file name is set to end in .csr

  10. Use the new CSR file to obtain the SSL certificate file.

  11. Once the 

To generate your CSR  file and complete the request process through IIS follow the steps below.

  1. Open the Internet Information Services (IIS) Manager console.

  2. Under the server name option select the option for Server Certificate

  3. Next use the option to Create Certificate Request.

  4.  From there add the details for the business and click next

  5. The next step details the type and bit length for the certificate request, please ensure that you select Microsoft RSA SChannel Cryptographic Provider and ensure that the Bit length is set to 2048 as shown below.

  6. As a final step you will need to specify a name and file location for the certificate request

  7. The next step is to contact your chosen SSL provider and provide them with the generated CSR file.
    Once this process has been completed they will provide you with another file in which you will need to load into the Complete Certificate Request wizard

  8. Load in the file that you received from your SSL provider, assign a friendly name (the name that it will show as on this machine) and set it to be saved in the Personal certificate store.

Once you have received the SSL certificate you will need to use the export wizard and then use the resulting pfx file.
To do this via IIS use the steps below.

  1. Open the Internet Information Services (IIS) Manager console.
  2. Under the server name option select the option for Server Certificate

  3. Right click on the previously imported certificate and select the Export option.

  4. Set where you would like to export the pfx file to and provide and confirm a password for the certificate, please be aware that this will need to be provided to the ClockOn support team in order to complete the setup.

Preparing the certificate for the Webportal

The next step is to generate the  to generate 3 files required for the Webportal.

  1. root.pem
  2. cert.pem
  3. key.pem

These files will need to be added to the root directroy of your ClockOn webportal folder.
The default location for this is C:\Program Files (x86)\ClockOn Services\Web Server.


After registering for your certificate you should be provided with two files one of them is the provider's root certificate, you will need to use their site to export this as the root.pem file.

If your provider has issued you the CACertificate-ROOT-2.txt file rename it to root.pem


The other essencial file that you will need is the cert.pem file, this two should have been provided by your SSL provider, like the root.pem file some providers issue the raw file for this this would likely be labelled ServerCertificate.cer or ServerCertificate.txt

If this was not provided in this fashion you can retrieve the cert file using the following methods.

Export method using XCA

  1. Open and login to the previously installed XCA software.

  2. Select the Certificates tab and click Import and load the SSL certificate file that you obtained previously from your provider.

  3. Highlight the certificate entry, then click Export.

  4. Change the Export Format to PEM all (*.pem) and adjust the filename to cert.pem

Export method through the use of IIS.

  1. Open the Microsoft Management Console (Start > Run > mmc.exe).
  2. User the File > Add/Remove Snap-in option

  3. Select Certificates from the list and click the Add 

  4. Select Computer account, then click Next
  5. Leave the settings as they are (set to manage the local computer), Click Finish to complete the finish adding the snap-in

  6. Click OK to close out of the Add/Remove Snap-ins form.

  7. Locate the certificate that you added previously to the machine, this will likely reside under the Certificates > Personal > Certificates section, once found Right Click on the certificate, expand All Tasks and select Export.
    The following screen will show, click Next to continue.

  8. Ensure that the option No, do not export the private key has been selected and click Next.

  9. Select the Base-64 encoded X.509 (.CER) option and click Next.

  10. Specify where you would like to save the exported file to, be sure to name it cert.

  11. Once exported change the file extension from .cer to .pem.


The final file that you will require is key.pem. To generate this you will need to export the private key that you used when creating the original certificate request.

Export method through the use of XCA

  1. Select the Private Keys tab, highlight the key and select Export

  2. Check that the Name is set to the domain name and set the export location for the file (ensuring that the file name itself is key.pem)

  3. Set the Export Format to use PEM private (*.pem).

  4. Click OK.

Export method through the use of OpenSSL

  1. If not already done download and Install OpenSSL.
    There are many different variants of OpenSSL, attached is a link to a tested version from Shining Light Productions.

  2. Open a command prompt session as an administrator navigate to the folder in which you previously saved pfx file, then run the following command.

    Set OPENSSL_CONF={local location of the openssl.cfg file the default is c:\openssl-win32\bin\openssl.cfg}
       openssl pkcs12 -in {certificatefilename.pfx} -nocerts -out key.pem

    Enter the previously generated password when prompted.

    Note that you will need to confirm the correct file names and locations were indicated below.

Once you have retrieved these files please contact ClockOn support for assistance with the remainder of the setup.