The following instructions apply to self-managed infrastructures only.
The OutSystems Cloud environments include valid SSL certificates, by default, with the outsystemsenterprise.com domain. Should you wish to customize your environment domain please refer to this article.
An SSL certificate binds a cryptographic key to an organization’s details. When such a certificate is installed in an application server, the HTTPS protocol is activated. This creates an encrypted channel between your web server and your visitor’s web browser, allowing the transmission of private information without being eavesdropped or tampered.
This article contains instructions on how to request and install a certificate in your application server so that your OutSystems applications can be used over secure connections via HTTPS. It applies to .NET/Windows stacks.
These instructions focus on the scenario in which your server is only accessible via the same name, even if over multiple IP addresses. If you need to have your server accessible via two (or more) different names (and IP addresses), that is, one for the internal and another for the external network, you must repeat these instructions for each name, or use a multi-domain certificate.
It's expected that you have a fair knowledge of administering a server (including using the command line) and managing certificates, to follow this document.
Reach out to your network, system or infrastructure administrator if you need help in following specific instructions in your infrastructure.
Creating a Certificate Signing Request (CSR)
A typical step before requesting a new certificate or renew an existing one, is to generate a CSR to be provided to the Certificate Authority. If you need instructions on how to generate a CSR, refer to this article. If you already have a CSR, proceed to the next section.
Acquiring the SSL certificate
After you have created your Certificate Signing Request (the .txt file), you need to acquire the certificate before installing it in your application server.
There are two ways to obtain a certificate:
- Contact one Certification Authority
- Contact your company's Certification Authority, if there is one
Self-signed certificates shouldn't be used for production systems with OutSystems 11.
Check the OutSystems System Requirements for more information about the supported configurations.
Installing the SSL certificate
Important Note: Certificates have a chain comprised of the following: * Root + Intermediate + Final server (domain) certificate
Some Certificate Authorities issue the certificate with the complete chain, and others issue the final server (domain) certificate only, instructing the users to create the remaining parts of the chain. Before proceeding with the installation, check the integrity of your certificate, for example, using SSL Checker.
Once you have acquired your certificate, you need to install it in your application server. The following sections include instructions on how to do it, for each of the application servers supported by OutSystems. These instructions assume that you have OutSystems installed, already. For instructions on how to install OutSystems, refer to Setting Up OutSystems.
You must run all commands as a user with Administrator privileges.
Importing the root and intermediate certificates
If your certification authority provided you with a root certificate and/or one or more intermediate certificates, you need to import them before installing your final server certificate. This ensures that you have a proper certification path that validates your server certificate. You will need to repeat these instructions for each intermediate certificate:
- Click the Windows Start button, type mmc, and press the Enter key to run the Microsoft Management Console.
Click Yes to allow this app to make changes to your device.
The Microsoft Management Console window opens.
Go to File > Add/Remove Snap-in...
Select Certificates and click Add. The Certificate snap-in window opens.
Select Computer Account and click Next >.
Select Local Computer and click Finish.
Click OK to close the add/remove snap-in window.
Expand the Certificates (Local Computer) entry on the left side.
If you are installing a Root certificate, navigate to Trusted Root Certification Authorities, expand it, and select the Certificates entry.
Right-click on Certificates, then select All Tasks > Import...
The Certificate Import Wizard opens.
In the Certificate Import Wizard, click Next.
In the File to Import section, browse the location of your root or intermediate certificate (for example, MyCA_Root_or_Intermediate.cer), select it, and click Next.
In the Certificate Store section, select the Place all certificates in the following store bullet.
- If you are installing a Root certificate, choose the Trusted Root Certification Authorities certification store.
If you are installing an Intermediate certificate, choose the Intermediate Certification Authorities certification store.
Click Next. A screen shows an overview of the certificate you are importing.
Click Finish to complete the Certificate Import Wizard.
- Repeat steps 13 to 15 to install the other certificate (intermediate, in case you installed the root, or vice-versa). You must have both certificates installed.
Importing the server (domain) certificate
After importing the root and intermediate certificates, you need to import the server certificate (final domain certificate). Perform the following actions to accomplish this:
- Click the Windows Start button, go to Windows Administrative Tools and open the Internet Information Services (IIS) Manager.
- Click on the server name on the left side.
On the center, scroll down to the IIS section, and double-click the Server Certificates icon.
On the Actions menu on the right side, click on Complete Certificate Request...
The Complete Certificate Request window opens.
Click the ... button at the right side to browse the location where you keep the .cer certification file provided by your Certification Authority.
- Write a friendly name for the certificate (this is the name to use on future references).
Select the Personal certificate store in the drop-down menu below, if asked.
Click OK. The installation of the certificate begins. Once the SSL Certificate is successfully installed to the server, you need to assign it to the appropriate website.
- At the Connections menu on the left side, select the name of the server on which you installed the certificate, and expand its tree.
- Expand the Sites element below and select the site to secure with SSL.
At the Actions menu on the right side, click on Bindings...
The Site Bindings window opens.
In the Site Bindings window, click the Add... button. The Add Site Binding window opens.
Fill out the following information:
In the Type drop-down menu choose https.
Insert the IP address of the site or choose All Unassigned.
Insert the Port for SSL traffic: 443.
In the SSL Certificate drop-down menu, select the friendly name of the certificate that you installed in the previous steps.
Your SSL Certificate is now installed and the website configured to accept secure connections. You may have to restart the IIS or the server for it to recognize the new certificate.
Configuring applications to use HTTPS
Once you have installed the certificate, you are able to access your OutSystems applications using HTTPS.
If you want to force the redirection of all accesses from HTTP to HTTPS, perform the following action:
- Starting with OutSystems 10, you can control this behavior in the same way as before in Web Applications, that is, at Flow or Screen level, but also for the whole environment, which applies to all Web Applications in the environment, or for specific Web Applications. This is done via LifeTime.
HTTP requests are always secure in mobile apps (HTTPS), therefore this configuration does not apply to mobile scenarios.