Skip to main content

 

How to install an SSL Certificate for the OutSystems platform

OutSystems

How to install an SSL Certificate for the OutSystems platform

The following instructions apply to on-premise or private cloud infrastructures only.

The OutSystems PaaS environments include valid SSL certificates, by default, with the outsystemsenterprise.com domain. Should you wish to customize your environment domain please refer to this article.

 

An SSL certificate binds a cryptographic key to an organization’s details. When such a certificate is installed in an application server, the HTTPS protocol is activated. This creates an encrypted channel between your web server and your visitor’s web browser, allowing the transmission of private information without being eavesdropped or tampered.

This article contains instructions on how to request and install a certificate in your application server so that your OutSystems applications can be used over secure connections via HTTPS. It applies to .NET/Windows stacks.

These instructions focus on the scenario in which your server is only accessible via the same name, even if over multiple IP addresses. If you need to have your server accessible via two (or more) different names (and IP addresses), that is, one for the internal and another for the external network, you must repeat these instructions for each name, or use a multi-domain certificate. In such scenarios, please contact the OutSystems Support for assistance.
 

It is expected that you have a fair knowledge of administering a server (including using the command line) and managing certificates, to follow this document.

Reach out to your Network, System or Infrastructure Administrator if you need help in following specific instructions in your infrastructure.

 

Creating a Certificate Signing Request (CSR)

Before installing a certificate on your server you need to issue a PKCS#10 Certificate Signing Request first, as described in this section. If you have your certificate already and only need to install it, skip this section and jump to Installing the Certificate.

All commands must be run as a user with Administrator privileges:

The following instructions apply to on-premise or private cloud infrastructures only.

  • You don’t need to create the CSR in the OutSystems server. You can create it on another computer and keep the .CSR file for later use.
  • You must run all commands as a user with Administrator privileges

 

  1. On the Start menu, go to Windows Administrative Tools and click on Internet Information Services (IIS) Manager.
    If the IIS Manager application is not listed, open these instructions from Microsoft, or contact your system administrator for assistance in installing it;
  2. At the left side, click on the server name;
  3. At the main window, double-click the Server Certificates icon in the IIS section in the middle

    Figure01 - IIS Server Certificates buton.png
     
  4. At the Actions menu on the right side, click on Create Certificate Request...

    Figure 02 - Create Certificate Request.png


    The Request Certificate Wizard opens.

    Figure03 - Create Certificate wizard.png
     
  5. Enter the following information at Distinguished Name Properties:

    Common Name - The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., www.domain.com or mail.domain.com).
    Organization - The legally registered name of your organization/company;
    Organizational unit - The name of your department within the organization (frequently this entry is "IT," "Web Security," or left blank).
    City/locality - The city in which your organization is located.
    State/province - The state in which your organization is located.
    Country/region - The country in which your organization is located.
     
  6. Click Next.
  7. Enter the following information at Cryptographic Service Provider Properties:

    Cryptographic service provider - In the drop-down list, select Microsoft RSA SChannel..., unless you have a specific cryptographic provider.
    Bit length - In the drop-down list, select 2048 (or higher).

    Figure04 - Cryptographic Service Provider Properties.png
     
  8. Click Next
  9. In the File Name menu, click the    button on the right side to browse the location where you want to save the Certificate Signing Request (a text file). If you enter a filename without browsing to a location, your CSR is stored in your computer’s default folder (for example, Documents)
    • Remember the filename you choose and the location where you save it. You will need this file later when ordering a certificate from a Certification Authority.

      Figure05 - Certificate Request file name.png
       
  10. Click Finish
  11. Your Certificate Signing Request is complete. Keep the generated CSR file safe.

 

Acquiring the SSL certificate

After you have created your Certificate Signing Request (the .txt file), you need to acquire the certificate before installing it in your application server.

There are two ways to obtain a certificate:

  • Contact one Certification Authority
  • Contact your company's Certification Authority, if there is one
     

Important Note:

OutSystems does not recommend using self-signed certificates for production systems with OutSystems 11.

Check the OutSystems System Requirements for more information about the supported configurations.

 

Installing the SSL certificate

 

Important Note:

  • Certificates have a chain comprised of the following:
    • Root + Intermediate + Final server (domain) certificate

      ​​Some Certificate Authorities issue the certificate with the complete chain, and others issue the final server (domain) certificate only, instructing the users to create the remaining parts of the chain.
      Before proceeding with the installation, check the integrity of your certificate, for example, using SSL Checker.

 

Once you have acquired your certificate, you need to install it in your application server. The following sections include instructions on how to do it, for each of the application servers supported by OutSystems. These instructions assume that you have OutSystems installed, already. For instructions on how to install OutSystems, refer to Setting Up OutSystems.

Note:

You must run all commands as a user with Administrator privileges.

 

Importing the root and intermediate certificates

If your certification authority provided you with a root certificate and/or one or more intermediate certificates, you need to import them before installing your final server certificate. This ensures that you have a proper certification path that validates your server certificate. You will need to repeat these instructions for each intermediate certificate:

  1. Click the Windows Start button, type mmc, and press the Enter key to run the Microsoft Management Console.
  2. Click Yes to allow this app to make changes to your device.

    Figure6 - MMC permissions.png

    The Microsoft Microsoft Management Console window opens.

    Figure07 - MMC console.png
     
  3. Go to File > Add/Remove Snap-in… 

    Figure08 - mmc add-remove snap-ins.png
     
  4. Select Certificates and click Add.
    The Certificate snap-in window opens.

    Figure09 - mmc Certificate snap-in window.png
  5. Select Computer Account and click Next >.
  6. Select Local Computer and click Finish.

    Figure10 - mmc local computer.png
     
  7. Click OK to close the add/remove snap-in window.
  8. Expand the Certificates (Local Computer) entry on the left side.

    Figure11 - mmc Certificates (Local Computer).png
     
  9. If you are installing a Root certificate:
    • Navigate to Trusted Root Certification Authorities, expand it, and select the Certificates entry.

    If you are installing a Root certificate:
    • Navigate to Trusted Root Certification Authorities, expand it, and select the Certificates entry.
  10. Right-click on Certificates, then select All Tasks > Import...

    Figure11a - mmc certificates all tasks import.png

    The Certificate Import Wizard opens.

    Figure12 - Certificates Import Wizard.png
     
  11. In the Certificate Import Wizard, click Next.
  12. In the File to Import section, browse the location of your root or intermediate certificate (for example, MyCA_Root_or_Intermediate.cer), select it, and click Next.

    Figure13 - mms certificates import wizard filename.png
     
  13. In the Certificate Store section, select the Place all certificates in the following store bullet.
    • If you are installing a Root certificate, choose the Trusted Root Certification Authorities certification store.
    • If you are installing an Intermediate certificate, choose the Intermediate Certification Authorities certification store.

    Figure14 - mms certificate import store.png
     
  14. Click Next.
    A screen shows an overview of the certificate you are importing.

    Figure15 - mmc certificate overview.png
     
  15. Click Finish to complete the Certificate Import Wizard.
  16. Repeat steps 13 to 15 to install the other certificate (intermediate, in case you installed the root, or vice-versa). You must have both certificates installed.

 

Importing the server (domain) certificate

After importing the root and intermediate certificates, you need to import the server certificate (final domain certificate). Perform the following actions to accomplish this:

  1. Click the Windows Start button, go to Windows Administrative Tools and open the Internet Information Services (IIS) Manager.
  2. Click on the server name on the left side.
  3. On the center, scroll down to the IIS section, and double-click the Server Certificates icon.

    Figure16 - iis server certificates button.png.png
     
  4. On the Actions menu on the right side, click on Complete Certificate Request...

    Figure17 - iis complete certificate request.png


    The Complete Certificate Request window opens.
     
  5. Click the  button at the right side to browse the location where you keep the .cer certification file provided by your Certification Authority.
  6. Write a friendly name for the certificate (this is the name to use on future references).
  7. Select the Personal certificate store in the drop-down menu below, if asked. 

    Figure18 - iss specify certification authority personal.png
     
  8. Click OK. The installation of the certificate begins.
    Once the SSL Certificate is successfully installed to the server, you need to assign it to the appropriate website.
  9. At the Connections menu on the left side, select the name of the server on which you installed the certificate, and expand its tree.
  10. Expand the Sites element below and select the site to secure with SSL
  11. At the Actions menu on the right side, click on Bindings…

    Figure19 - iss default website bindings.png

    The Site Bindings window opens.

    Figure20 - iss site bindings.png
     
  12. In the Site Bindings window, click the Add… button.
    The Add Site Binding window opens.

    Figure21 - iis add site binding.png
     
  13. Fill out the following information:
    • In the Type drop-down menu choose https.

      Figure22 - iis site bindings type.png
     
    • Insert the IP address of the site or choose All Unassigned.
    • Insert the Port for SSL traffic: 443.
    • In the SSL Certificate drop-down menu, select the friendly name of the certificate that you installed in the previous steps.

      Figure23 - iis add site bindings ssl certificate.png
  14. Click OK.

    Figure24 - iis site bindings certificates lits.png
     
  15. Your SSL Certificate is now installed and the website configured to accept secure connections. You may have to restart the IIS or the server for it to recognize the new certificate.
     

 

Configuring applications to use HTTPS

Once you have installed the certificate, you are able to access your OutSystems applications using HTTPS.

If you want to force the redirection of all accesses from HTTP to HTTPS, perform the following action:

  • Starting with OutSystems 10, you can control this behavior in the same way as before in Web Applications, that is, at Flow or Screen level, but also for the whole environment, which applies to all Web Applications in the environment, or for specific Web Applications. This is done via LifeTime.
     

Note:

HTTP requests are always secure in mobile apps (HTTPS), therefore this configuration does not apply to mobile scenarios.