Skip to main content

Enable Custom SSL Domain In OutSystems PaaS


Enable Custom SSL Domain In OutSystems PaaS

Starting with OutSystems Platform 9.1.301, your cloud environment is automatically rolled out with default valid SSL certificates with the domain. Additionally, it is possible to customize your environment hostname and respective SSL certificate yourself.

Custom SSL domain requirements

For users to access applications using HTTPS with your own domain, a valid certificate for that domain is required. To acquire a valid certificate, you must own the desired domain address (for example, www.acme.local):

  1. Create a CNAME Record for the domain address that points directly to the OutSystems Enterprise address your environment uses. An example is

  2. Obtain an SSL certificate from a Trusted Certificate Authority with the desired domain.

Note: When obtaining your certificate from your Certificate Authority, the supported formats are either PEM or PFX with a maximum private key size of 4096 bits. Contact your Certificate Authority if none of these formats is supplied.

Configuring a new domain certificate

To customize your environment domain:

  1. Navigate to the infrastructure management console at https://<yourlifetimeenvironment>/lifetime and go to the Environments tab.
  2. Select the environment you want to customize the HTTPS domain.

  3. Click Change in the Secure Endpoint section.

  1. Click Add a new Domain Certificate.

After fulfilling all the prerequisites presented in the first step of the wizard, the certificate can now be added in two formats: PEM and PFX.

Submitting a PEM certificate

A PEM certificate is commonly presented as a set of '.PEM' files (namely a certificate, a private key and a chain), that contain text. The following information is required for submitting a new PEM certificate:

  • Domain: The domain the certificate was signed for. Add '*.' for wildcard certificates. An example is *

  • Certificate Name: A unique name for the certificate at your choice.

  • Private Key: The certificate's private key. This was generated when the certificate was requested.

  • Public Certificate Key: The public certificate issued by the Certificate Authority.

  • Certificate Chain: The intermediate certificate trust chain. This is optional, however, if the Certificate Authorities isn't already trusted on all browsers by default, this is mandatory.

  • PEM Password: In case the private key is protected with a header such as "----- BEGIN ENCRYPTED PRIVATE KEY -----", the password must be entered.

Submitting a PFX certificate

The PFX certificate format is commonly used in the Windows operating system and is identified by a single '.PFX' container with all certificate information, including private key, public certificate and chain.

The following information is required when submitting a PFX certificate:

  • Domain: The domain the certificate was signed for. Add '*.' for wildcard certificates. An example is *

  • Certificate Name: A unique name for the certificate at your choice.

  • Certificate File: The PFX container.
  • PFX Password: The file is commonly protected with a password that is supplied by the Certificate Authority or your IT department.

Submitting a ZIP bundle

There is a third option that should be used only when you are unsure of what format you have. In this case, it is possible to submit a ZIP bundle (must be *.zip extension) with the files you currently have for manual validation.

Note: OutSystems will do the validation. This can take several days to complete.

The following information is required when submitting a bundle:

  • Domain: The domain the certificate was signed for. Add '*.' for wildcard certificates. An example is *

  • Certificate Name: A unique name for the certificate at your choice.

  • ZIP File: The ZIP file with all the information required. The file must have a *.zip extension.

  • ZIP Password: The password of the ZIP file, if there is one.

  • Notes: Additional helpful information, required passwords or both that can help OutSystems determine the submitted information.

Assigning a domain certificate

The certificate can now be assigned to an environment as follows, using the Apply Environment option when managing domain certificates or directly from the Environments dashboard as shown here.

  1. Select the environment and click Change in the Secure Endpoint section. 

  2. Select the desired certificate from the dropdown box and click Next.  


  3. Confirm that the CNAME record pointing to the OutSystems Enterprise address presented was created and define a hostname when a wildcard certificate is being configured.

After submission, the change request is expected to take approximately 5 minutes.

Assigning domain certificate to the infrastructure management console

Customizing the domain of the infrastructure management console environment is available. However, it is only available with a support ticket because it has direct impact on the user session.

Follow these steps:

  1. Submit the domain certificate successfully on another environment, as shown previously.
  2. Create a new support ticket. In this ticket, please indicate the certificate name you wish to apply to the management console environment as well as the url you have already configured.

  3. Wait for a confirmation that the domain has been correctly assigned.

NoteThis is a manual operation that is done by OutSystems and can take several days to complete.

Domain certificate renewal

When a certificate is about to expire, a warning appears for the environment as shown here:

It is possible at any point to renew an installed certificate using the procedure for configuring a new domain certificate and submitting it using Renew:

Infrastructure management console certificate renewal

Like the initial configuration of a custom infrastructure management console certificate, the renewal requires that a new certificate be already validated.

After that, a support ticket must be submitted requesting a renew of the management console certificate. Indicate that the infrastructure management console certificate needs to be renewed with the appropriate certificate.