Web Site and Web Application Certificates

This section provides background information for installing a website and Web application certificate. For related procedures, see step-by-step section.

Installing a website and Web application certificate is a one-time procedure required the first time before you launch a Desigo CC Windows App Client.

This procedure downloads a security certificate from the Desigo CC web page, which allows the browser to verify the signature when downloading the Windows App Client.

  • Web site certificate is a certificate used by the website to prove its identity and to secure the communication between the web server (IIS) and the Windows App Client. (see Install the Website Certificate)
  • Web application certificate is a certificate for signing a web application on the Server and for verifying the signature on the Windows App Client. (see Install the Web Application Certificate)

For information on naming conventions for web applications, see Naming Rules for Websites, Web Applications, Web Server, and Projects in WebSites.

Website and Web Application Certificate Stores

Depending on the type of certificate used for website or web application, you must install the certificates in the appropriate Windows Certificate store of a system where you are launching the Windows App Client. It can also depend on the fact that the web application can contain a different certificate from that of its parent website.

You can use the Windows Certificate store described in the following table to the SMC-created as well as commercial certificates.

Certificate Used for

Certificate Type

Install in the Windows Certificate Store

Remarks

Website

Self-signed

Trusted Root Certification Authorities (TRCA)

You must import the self signed certificate in the Trusted Root Certification Authorities (TRCA) Windows Certificate store.

Host

 

The host certificate is installed in Trusted Root Certification Authorities (TRCA). However, to work with Windows App clients, you must ensure the following:

  • If the host certificate was created with SMC, you must import the root certificate of the host certificate in the Trusted Root Certification Authorities Windows Certificate store.
  • If the certificate is a commercial certificate, then the Root Certification Authority and the Intermediate Certification Authority certificates are usually already available in the corresponding Windows Certificate stores.

Web Application

Self-signed

Trusted Root Certification Authorities (TRCA)
and
Trusted Publisher (TP)

  • If the web application contains a different self-signed certificate than that of the parent website, then that parent website’s self-signed certificate must be added in the Trusted Root Certification Authorities (TRCA) store of the Windows Certificate store on the system where you launch Windows App Clients.

Host

Trusted Publisher (TP)

  • The root certificate of the web application host certificate must be added in the Trusted Root Certification Authorities (TRCA) of the Windows Certificate Store.
  • If the web application contains a a different host certificate than that of the parent website, then its root certificate must be added in the Trusted Root Certification Authorities store of the Windows Certificate store on the system where you launch Windows App Clients.

 

NOTICE

Validity of Self-Signed Cerificates

Self-signed certificates allow local deployments without the overhead of obtaining commercial certificates. When using self-signed certificates, the owner of the Desigo CC system is responsible for maintaining their validity status, and for manually adding them to and removing them from the list of trusted certificates.

Self-signed certificates must only be used in accordance with local IT regulations (several CIO organizations do not allow them, and network scans will identify them). Importing the commercial certificates follows the same procedures.

You must ensure the compliant installation of the trusted material on the involved machines, for example, on all Installed Clients. In some organizations, this must be done by the IT organization.

 

Tips When Browsing the Website or Web Apllication URL
  • Run the consistency check on web application on Client/FEP SMC and see the log for troubleshooting.
  • If you change the website/web application certificate using SMC, then you must re-install the updated website/web application certificates in the appropriate Windows Certificate store on the system where you are launching the Windows App Clients.
  • If a SMC-created host certificate is used for signing the web application and the Internet Explorer browser is configured to check the publisher's certificate revocation, the Security Warning message may display, even after installing the certificate.
    • Add the website to the Trusted Sites zone from Tools > Internet Options > Security to resolve the issue.
    • Ignore the warning and click Install (for Windows App client).
  • When browsing for a web application, if you receive an error message, you can always check the log file located at [Installation drive]:\[Installation folder]\Websites\[Website name]\GMSWebSite\Log. This is the same path that you configure in Details expander during website creation or modification.
  • If you launch a Windows App Client using a web application URL linked to a stopped project or if no project is linked, the Windows App Client fails to connect. In this case of a stopped project, you must start the project and re-launch the Windows App Client using the web application. In case of where no project is linked, you must edit the web application and link a project.
  • If you launch a Windows App client using a web application URL and cannot save an object (for example, a graphic), while working with the Windows App Client, or if you browse a website URL, you may need to repair the .Net. Refer to repair the .NET Framework 4.0.30319 version at a command prompt.
  • Transferring files between Windows App clients and the web server (IIS) is a potential security risk. Communication between the Windows App clients and the Server (IIS) is restricted and only allows you to transfer file types that are supported by Desigo CC for each writable directory of the web server.
    File types that are not supported are not transferred, and IIS responds with an HTTP 404 error. Depending on the workflow, this error is reported to the operator at the client or is added to the log file on the Server. (See File transfer between Web Server (IIS) and Windows App Client)