HomePowerBuilderAppeon Documentation Center

Use SSL certificate

To use the HTTPS protocol to access the PowerServer Web APIs, you must install an SSL certificate to the server:

  • In the production environment, a trusted CA signed certificate is recommended.

  • In the local development environment, a trusted CA signed certificate or a self-signed certificate can be installed.

    If you have no trusted CA signed certificate in the local development environment, you will be prompted to install a self-signed certificate (as shown in the figure below) when running PowerServer Web APIs directly from the SnapDevelop IDE.

If you have a trusted CA signed certificate and want the built-in Kestrel server to use it, you can go to PowerServer C# solution > ServerAPIs project > Program.cs and add the following scripts to load the certificate: 

            ...
            hostBuilder.ConfigurePowerServerHostDefaults(webBuilder =>
            {
                webBuilder.ConfigureKestrel(serversOptions =>
                {
                    serversOptions.AddServerHeader = false;
                    serversOptions.ConfigureEndpointDefaults(ListenOptions =>
                    {
                        ListenOptions.Protocols = Microsoft.AspNetCore.Server.Kestrel.Core.HttpProtocols.Http1AndHttp2;
                        ListenOptions.UseHttps("cacert.p12", "123456");
                    });
                });
                webBuilder.UseStartup<Startup>();
            });
            ...

A self-signed certificate should be used only in the local development environment, as it is not signed by a trusted CA but by its own private key. Thus it has some limitations:

  • The self-signed certificate only works for "localhost" but NOT for IP address or domain name. For example, https://localhost:5099 works, while https://172.16.0.145:5099 and https://example.com:5099 do not work.

    If you use IP address or domain name with a self-signed certificate (for example, https://172.16.0.145:5099), the end user will get "Session creation failed" error or "access token request fails" error especially where strict certificate validation is required (for example, when OAuth or JWT authentication is implemented). You can enable the Ignore PowerServer Certificate option to ignore the error (like version 2021). See the next section for details.

  • The self-signed certificate will be expired one year later after installation.

    You may not be prompted when the self-signed certificate gets expired and you may have to manually update or reinstall the expired certificate.


Prev  Up  Next
Support HTTPS  Home  Ignore PowerServer certificate errors