Pre-requisites:
-Administrative access to your Doc.It server and Mobile Gateway (Portal) server
-Access to your Certificate Authority (i.e. GoDaddy, Digicert, etc) for ordering/downloading new certificates
Overview:
Doc.It Portal 4.5 requires a minimum 2048-bit Multi-SAN/Multi-Domain or Wildcard SSL certificate from a trusted Certificate Authority. This certificate must be installed on both the Doc.It Server and the Mobile Gateway (Portal) server, in the Personal Store of the Local Machine Certificate Store. Once installed, it must then be bound in IIS on the relevant sites in both servers, as well as to the Doc.It Bridge service itself, via a .JSON config file.
This article will go through generating a Certificate Signing Request (CSR) that will be uploaded to your Certificate Authority as part of ordering or renewing the SSL certificate as well as installing the resulting certificate on both servers and finally binding it to the sites in IIS and to the Bridge service via JSON config.
Generating the CSR and completing the certificate
How you generate the CSR will vary depending on the type of certificate you need. Completing it will also differ slightly but the fundamentals are the same- the CSR is sent to the Certificate Authority, the CA responds with a matching certificate package, that will be installed in the Local Machine Certificate Store.
A wildcard certificate secures any subdomain of [yourdomain.com] and has a Common Name (main domain name) in the form of
*.yourdomain.com. You can generate this CSR in IIS. For steps on how to complete a wildcard certificate installation, click
here.
A multi-SAN/Multi-Domain CSR is a little trickier to generate as the Windows tools are not as intuitive. For the two subdomains needed to secure the portal (typically
portal.yourdomain.com and
docitserver.yourdomain.com), you can use our Certificate Tool to generate the CSR. For steps on how to complete a Multi-SAN/Multi-Domain certificate installation, click
here.
Installing the same Certificate on the Mobile Gateway (Portal) Server
To install the certificate you created on the Portal server, you must export a .pfx certificate containing the private key, copy it to the Portal Server and import it into the Personal Store of the Local Machine. If you've generated a multi-SAN/multi-domain certificate using Doc.It Certificate Tools, you already have the .pfx file ready. In that case you will be importing that file twice- once into the Personal Store of your Doc.It Server, and once in the same location on your Portal Server.
For instructions on how to import a .pfx certificate, click
here.
For instructions on how to export a .pfx certificate, click
here.
Binding the Certificates in IIS
Once the completed certificates are installed in the Personal Certificate Store of both Doc.It and Portal servers, you can now bind them to the sites in IIS. To bind a certificate to a website in IIS, select the site, and click Bindings on the right panel. Select the HTTPS binding and click Edit. Select the new SSL certificate from the dropdown. You can also click View to inspect the properties and ensure they are correct. Click ok when done.
Required Bindings:
On the Doc.IT server, select the Portal website, and bind your new certificate to the HTTPS binding.
On the Portal server, select the Mobile Gateway website, and bind your new certificate to the HTTPS binding.
Note: It is recommended that other https bindings on the server are removed if not in use, even if the website is stopped.
Binding the Certificate to the Bridge Service
You will need the thumbprint of your new certificate. You can obtain this on the certificate's Details tab. Copy this value.
On the Doc.It server open Notepad as administrator and within it, open the following file: C:\Doc.It Inc\DocIT Portal 4.5\Bridge\appsettings.Production.json
Paste the copied thumbprint in the SSlBindingThumbPrint property, overwriting the previous entry. Ensure nothing else is modified (do not overwrite a quotation mark). Save the file.
Now restart the Doc.It Bridge service from Services.msc. Optionally, run the command iisrest from an elevated command prompt on both servers.
The certificate installation is complete. Test your portal externally, including logging in and uploading a file. You should see no errors.