This question has a lot to to with with SSL and public key infrastructure (PKI). You can find a lot of information on that topic on the web, but I'll try to help you get started. I don't have a version of Intraweb that supports SSL so I could not compile the sample, but hopefully this will get you somewhere.
In order to get "green https" in Chrome a few things must be fulfilled. In simple terms, this means that the certificate presented by the server must be valid in terms of expiry date, it must have a supported crypto algorithm, the hostname must be the same hostname as the requester, or client, used etc. This is far from a complete list, but you get the idea. In addition to this, the client must trust the certificate, either directly or through a hierarchy (hence the "infrastructure" in PKI). Browsers and operating systems come preloaded with authorative certificate issuers that we are assumed to trust, often called CA's (Certificate Authority). Since it is a hierarchy, there can be a path between who issued your certificate and who your browser trusts. For this reason, many clients need the server to provide a "certificate chain", that shows the path all the way to the highest CA. This is what the Rootcertfile is for.
If you want a server that is trusted for normal internet users, you need to get a certificate from a trusted authority. You can get simple free certificates from sites like "Let's Encrypt", but there are a few prerequisities that has to be fulfilled (for example having administrative authority of a domain), and there is also things like certificate renewal that need to be handled.
An easy way to get started is to create a self-signed certificate. This will give you the cert.pem and the key.pem. Since the certificate is "self-signed", you are your own root, so if you must have a root.pem I think you can use the cert.pem there as well. You don't have a hierarchy, and your certificate will not be trusted by anyone until you convince them otherwise.
I think that the cipherlist has to do with which ciphers the server supports. You can probably use the default as a start.
In order to make Chrome happy you need to import the self-signed certificate into the Trusted CA store on your client. You also need to make sure you can resolve the name(s) in the certificate. The easiest way is to add the name to the clients hostfile. This does not have to be the computers actual hostname, you can use.whatever.you.want.
This is a good thread regarding self-signed certificates. Since you want to get started quickly, I'll cover the basics here. I guess you are on Windows since you are running Delphi.
- Download and install OpenSSL. I used
Win64OpenSSL_Light-1_1_0g.exe from Shining Light
Productions.
Create a text file called req.cnf with the contents below. This file
is required because modern browsers requires that the hostname is
present in the SAN field.
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = NA
ST = NA
L = lab
O = lab
OU = lab
CN = www.myintrawebserver.local <--- Replace with your name
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.myintrawebserver.local <--- Replace with your name
DNS.2 = myintrawebserver.local <--- Optional additional name(s)
Go to a DOS prompt and run the following command (The backslash
after "365" is just to make this easier to read, it won't work on
Windows):
C:\home>\OpenSSL-Win64\bin\openssl req -x509 -sha256 -nodes -days 365 \
-newkey rsa:4096 -keyout key.pem -out cert.pem -config req.cnf
If everything work you'll get the files cert.pem and key.pem written in
the current directory.
Generating a 4096 bit RSA private key
.......................................................................
...................................++
.......................................................................
.......................................................................
.......................................................................
......................................................++
writing new private key to 'key.pem'
-----
Add the hostname into the C:\Windows\System32\drivers\etc\hosts file on the client computer. Remember that you need to edit the file as Administrator.
Import the cert.pem into the truststore. This can be done via settings->advanced->certificates (or something like that). Add the certificate to the Trusted Root Authorities (I don't know the exact name, my computer has a non-english language).
Run and access your application. Hopefully your browser is happy :-)
The key.pem is not password protected in this example. I don't know if the
OnGetPassword has something to do the key password or if it is a password
that the user is expected to provide.
SSLSHopper has some useful tools to check certificates. Try for example to paste the content of the cert.pem in the Certificate Decoder. Sample output below.
The certificate is divided in two parts, so to speak. The cert.pem is the public part, and the key.pem is the part that needs to be kept secret. The public part needs to be decoded by clients in order to determine if they can trust it or not.
How2SSL also has some good information on SSL. Here can you read more about PEM-files specifically. PEM is just one of the many file formats that help complicate the world of PKI ;-)
