1. Open MMC Console (Start -> Run -> mmc.exe)
2. File -> Add/Remove Snap-in;
3. Choose Certificates from the left column and click Add;
4. Choose Computer Account, click Next and click Finish. Close the dialog with Ok;
5. In the certificate list, right-click Personal and choose All Tasks -> Import
6. Follow the wizard to import the PFX certificate - you will be prompted for the password at some point;
7. This will import the certificates into Personal\Certificates.

1. Right-click on the certificates you just imported and access All Tasks -> Manage Private keys ...
2. Add users/groups NETWORK SERVICE and IIS_IUSRS (Windows 2008R2) or IIS_WPG (Windows 2003) with Full Control access. Click Apply and close the dialog.

1. Right-click the certificate and access All Tasks -> Export ...
2. In the export wizard choose not to export the private key and  pick either encoded binary X.509 (CER) or Base-64 encoded X.509 (CER). Save the file into a folder (use the same path - folder and filename - in all front-ends).

Folks, the response from Ricardo ALMOST got me what I need. Simply put, I am trying to setup a Certificate that is required in order for me to Consumer a given vendor SOAP web service.

<see attached screenshot>

HOWEVER, I can't figure out the "File Path" in the Service Center (Administration > Certificates) screen.

Not knowing a better way, I included the certificate (filename: MyCertNow.cer) in the Resources of my app in a folder called "stuff". In otherwords, the cert file would be at https://<userName>.outsystemscloud.com/MyApp/stuff/MyCertNow.cer

HOWEVER, the File Path does not take http paths but needs a physical hard-drive path.

I even thought maybe it it looking at my workstation path? Tried it no luck.

SO, where should I "store" the certificate file - is in the app Resources good - OR - am I supposed to store it elsewhere?

ALSO - how do I determine the PHYSICAL path on the server of a give Resource??

Thanks! 

Ricardo Silva wrote:

To increase the security of your Web Services or to access secure web services you might require / want to use Client Side Certificates in your Web Services or Web References. This post explains how that can be achieved in the Agile Platform and what are the requirements of this feature.


Requiring Client Side Certificates in my Web Services

On the WebService definition side, requiring a Client Side Certificate is a simple matter of declaring (in Service Studio) that the Web Service uses SSL With Client Certificates HTTP Security, like this:

             

With this, your Web Service methods will only be executed when called in an HTTPS connection where Client Certificates are provided by the caller. If you require further validation of whether the owner of the certificate has privileges to call a certain method, you can use the  ClientCertificateGetDetails and  ClientCertificateValue actions to access information from the certificate. These actions are system actions which you will need to import using Add/Remove references.

             



Calling a Web Service which requires Client Side Certificates

On the Web Reference side, if a Web Service you're calling within Service Studio requires a Client Side Certificate you'll need to import the web reference and configure in Service Center which certificate to send when calling this web reference.

You need to add the certificate in Service Center (Administration > Certificates) by providing a filesystem path to the file.

Please note that:

• The only kind of certificates that are valid for use in this functionality are X509 Certificates in DER encoding (therefore without a password).
• In a farm environment this file will need to be on the same path in ALL front-ends.

             

After having a certificate configured in Service Center you'll need to go to the eSpace's Web Services tab, click on the Web Reference and configure it to send this Client Certificate:


             

             
After this don't forget to publish the eSpace in order for the changes to take effect (we recommend you to delete this eSpace data from the share folder).

If you have any questions or would like to add information about this, feel free to reply to this post.

With best regards,
Ricardo Silva, Engineering Services

Hi all,

Meanwhile we are in version 10. Does this version bring any changes regarding the use of REST with client cerificate?

To be more explicit: currently I'm wondering how to consume a REST API using a user authentication with a PKI cerificate (to be fetched in the OS server's machine store).

Could we fully manage this using the platform's REST integration, so without using an extension?

If I understand well above's explanations, it was not possible at that time.

Best regards,

Olivier

This step-by-step still working ??? 

Because on my ServiceCenter don´t has the page "Certificate"

Yes, these instructions should still be valid.

Are you on the OutSystems Cloud offer? In this case it's possible your user doesn't have access to these configurations and you should open a support ticket to request client side certificates configuration.

Also, this functionality is not available in the Java stack.

I had recently a problem establishing a connection to a SOAP service with a certificate with a private key protected by a password.

After configuring the certificate in Service Center like is it explained by Ricardo Silva and with the inputs of Acácio Porta Nova I was still not able to establish a connection. I got always the message "The request was aborted: Could not create SSL/TLS secure channel." (the endpoint is called by https). 

The way to solve this was to publish the application containing the espace that calls the SOAP service through Service Center. If you publish the chain of modules manually through service studio, apparently it does not work. 

Is there any explanation for this behavior? The version used is 9.1.604.0.

Hope this information is helpful for someone trying to establish a web service connection with a client certificate!

Hello Ana,

I think that what you're describing is a somewhat known issue with the platform where the https with client certificates option is not immediately applied if the service already existed.

This has to do with our code generation being a bit lazy (so it's faster during development). This is why when you published in Service Center it worked (it doesn't have this laziness).

I hope I've been able to provide a high level overview of the problem (if you want me to get a tad more technical, I can). 

Is this available in the Personal Edition? I don't see the option in the Web Reference configuration page...

Hello Pedro,

As you can see from the topic, configuring client side certificates requires manual changes to the server. Therefore it is not available in the personal edition.

What if your certificate has a password? :)

Hi Niels,

Please check Acácio's comment regarding this matter.

Hi Niels,

In short: yes, you should be able to use a properly configured client side certificate in your extension. Since you can write .NET code in extensions you can write the same code as OutSystems does to obtain the certificate and all.

Since your question does not really pertain to the original discussion on this thread, if you would like to pursue its discussion through the forums, I would suggest you to create a new thread to avoid generating confusion.

However, I do think you should reach out to OutSystems Support in order to better troubleshoot what's happening on your cloud environment. I doubt people here will have the access to properly ascertain the state of your environment in order to adequately assist you.

Hi,

I'm still unclear on how we upload the CER file to the OutSystems cloud environment. And what PATH we should specify for this certificate?

Can someone give me some pointers on how this is done? Thanks!

In the OutSystems Cloud you simply open a support case and provide us with the certificate and we'll do all the filesystem manipulation for you.

Thank you for the guidance. It's nice to have that spelled out here when you search for Client SSL certificates.

Thanks to all. Nice Contribution.

It would be nice if someone make a compilation of it 

Thanks again

The last step is available on the new OutSystems Platforms? I can't find the page to select the certificate...

I got same problem with how to upload .pfx file to Outsystems cloud and I already opened two tickets and inform Outsystem support team to help me. it seems only one way to use .pfx !!? or Is there anyway else to upload it?

We are using Outsystems 11 and don't see the option to direct to a client certificate.

If you click on "EvoiDerdService" link should open configuration.

Then I get this screen, so no field for entering the certificate path

Have you created any certificate on this screen?

We did. See scrfreenshot.

This is what I was expecting.. Not sure if there's a bug on the version you have but it is worth confirming..

I made a support call at Outsystems

@Kees Blokker: I was wondering what the response of OutSystems to your support call was?

It could be due to user permissions. Does your IT user have the Administrator role?