Secure Your Nodinite Installation with HTTPS/TLS
Protect your Nodinite installation with industry-standard HTTPS/TLS encryption. This guide provides clear, version-specific instructions to ensure your environment meets security and compliance requirements.
Quick Navigation
Choose your scenario:
- New 7.x Configure HTTPS Before v7 Installation - Recommended approach for new installations
- New 7.x Add TLS to Existing v7 Installation - Enable HTTPS on already-installed v7 environment
- Development Certificates - Self-signed certificates for testing
- TLS Troubleshooting - CRL/OCSP slowness and 401 loopback errors
Related hardening topics (separate guides):
- HTTP Security Headers - HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, Cache-Control
- Access Controls & Vendor Policy - Vendor access policy, Web API auth, SQL isolation, NDA requirements, contractor equipment
- Key Management, Backup & Data Residency - NIST key lifecycle, backup encryption, GDPR/regional compliance, media destruction
Tip
Upgrading from v6→v7? The TLS re-enabling process is documented in the Updating from v6 to v7 guide.
Warning
Using Nodinite v6? See the legacy How to perform hardening on your Nodinite v6 installation guide. v6 is deprecated - we strongly recommend upgrading to v7.
Understanding the HTTPS Architecture
When you enable HTTPS for Nodinite, several components work together to provide secure communication:
Windows AD or OAuth"] App[" Nodinite Services"] User -->|"1. Resolve DNS"| DNS DNS -->|"2. Return IP"| User User -->|"3. HTTPS Request
Port 443"| FW FW -->|"4. Forward"| IIS IIS -->|"5. Retrieve Cert"| Cert Cert -->|"6. Certificate
(matches DNS)"| IIS IIS -->|"7. TLS Handshake"| User User -->|"8. Encrypted Request"| IIS IIS -->|"9. Authenticate"| Auth Auth -->|"10. User Identity"| IIS IIS -->|"11. Process Request"| App App -->|"12. Response Data"| IIS IIS -->|"13. Encrypted Response"| User style User fill:#e1f5ff style DNS fill:#fff4e1 style FW fill:#ffe1e1 style IIS fill:#e1ffe1 style Cert fill:#f0e1ff style Auth fill:#ffe1f5 style App fill:#e1fff4
Diagram: HTTPS communication flow between user, DNS, firewall, IIS, certificate, authentication, and Nodinite services.
Key Components Explained
| Component | Role | Requirements |
|---|---|---|
| DNS Server | Resolves hostname to IP address | DNS A record: nodinite.yourdomain.com → 192.168.1.100 |
| SSL/TLS Certificate | Proves server identity, encrypts traffic | Must match DNS name (e.g., CN=nodinite.yourdomain.com) |
| Firewall | Controls network access | Allow inbound port 443 (HTTPS) |
| IIS Web Server | Hosts Nodinite applications | Certificate installed, HTTPS binding configured |
| Authentication | Verifies user identity | Windows Authentication (Active Directory) or OAuth 2.0/OIDC (Identity Provider) |
| Nodinite Services | Process requests securely | Web Client, Web API, Log API, Logging Service, Monitoring Service |
Important
The DNS name users type in their browser (e.g.,
nodinite.yourdomain.com) must exactly match the Common Name (CN) or Subject Alternative Name (SAN) on your SSL certificate. Mismatches cause browser security warnings.
Understanding the Difference: v7 vs v6
The approach to security has fundamentally changed between versions:
| Aspect | New 7.x Nodinite v7 | Nodinite v6 |
|---|---|---|
| When to Configure HTTPS | Before installation * Configure in Portal during setup | After installation * Manual IIS configuration required |
| Configuration Method | Automated through Portal Environment setup | Manual web.config and IIS configuration |
| OAuth 2.0 / OIDC Support | ✅ Supported (requires HTTPS) | ❌ Not supported |
| Certificate Management | Simplified * Configure once in Portal | Manual * Configure per service |
| Recommendation | Configure HTTPS from day one | Enable HTTPS as soon as possible |
Important
You should configure HTTPS/TLS BEFORE running the installation script. This is configured in the Nodinite Portal when registering your Environment.
If you didn't enable HTTPS during installation, follow the Add TLS to Existing v7 Installation steps to enable it now.
What You Need Before Starting
Before configuring HTTPS for Nodinite, ensure you have:
Certificate Requirements
- ✅ Valid SSL/TLS certificate from a trusted Certificate Authority (CA)
- For production: Commercial CA (DigiCert, Let's Encrypt, etc.)
- For development: Self-signed certificate (see Development Certificates)
- ✅ Certificate includes private key * Required for IIS binding
- ✅ Certificate matches your DNS name * Subject Alternative Name (SAN) or wildcard
- Avoid SHA-1 certificates * Use SHA-256 or higher (see Microsoft guidance)
Infrastructure Requirements
- ✅ Static IP address or DNS name for your IIS server
- ✅ Firewall rules allowing HTTPS traffic (port 443)
- ✅ Administrative access to IIS server and Nodinite Portal (v7)
- ✅ DNS record pointing to your Nodinite server
Common Certificate Sources
Option 1: Internal PKI (Most Common)
Use your organization's existing certificate infrastructure (Active Directory Certificate Services, internal PKI).
Option 2: Commercial Certificate Authority
Purchase from vendors like DigiCert, Sectigo, or GlobalSign.
Option 3: Free Certificates
- Let's Encrypt - Free, automated, renewable
- Certify SSL - Let's Encrypt GUI for IIS
Option 4: Development Only
Self-signed certificates (see Development Certificates)
Nodinite v7: Configure HTTPS Before Installation
The Modern Approach: With Nodinite v7, you configure HTTPS during environment registration in the Nodinite Portal. The installation script then applies these settings automatically.
Why Configure HTTPS Before Installation?
- ✅ Automated configuration * No manual web.config edits needed
- ✅ OAuth 2.0 / OIDC support * Required for modern authentication
- ✅ Consistent security * All services configured identically
- ✅ No reconfiguration * Avoid uninstalling/reinstalling later
- ✅ Immediate compliance * Production-ready from day one
Step-by-Step: Enable HTTPS in Nodinite v7
Step 1: Obtain and Install Your Certificate
Before configuring Nodinite, install your SSL/TLS certificate in IIS:
- Obtain certificate (see Certificate Requirements above)
- Install certificate in IIS:
- Open IIS Manager
- Select your server node
- Double-click "Server Certificates"
- Click "Import" (if you have a .pfx file) or "Complete Certificate Request"
- Note the certificate thumbprint (you'll need this for the Portal)
See Microsoft IIS Certificate Installation Guide
Step 2: Create DNS Record
Create a DNS A record pointing to your Nodinite server:
nodinite.yourdomain.com → 192.168.1.100
Step 3: Configure HTTPS in Nodinite Portal
- Log in to the Nodinite Portal
- Navigate to your Customer → Environments
- Click "Add Environment" or edit existing environment
- Navigate to the TLS tab
- Configure the following settings:
| Setting | Value | Description |
|---|---|---|
| Hostname / Server Name Indication (SNI) | nodinite.yourdomain.com |
The fully qualified domain name (FQDN) that will use this TLS certificate (e.g., nodinite.yourdomain.com). Must match certificate CN or SAN. |
| Certificate Thumbprint (TLS) | 9b27c9d1939b821bb... |
TLS certificate thumbprint for secure validation. Copy from IIS Server Certificates. |
Example of the TLS tab configuration in Nodinite Portal.
Important
If you plan to use OAuth 2.0 / OIDC authentication, you MUST enable TLS. See Install Nodinite v7 - OpenID for details.
Step 4: Complete Environment Setup and Install
- Complete the remaining environment configuration tabs (Database, Authentication, Agents)
- Save your environment configuration
- Download the installation package
- Run the PowerShell installation script
The script will automatically configure all Nodinite services with HTTPS bindings on port 443.
Step 5: Verify HTTPS is Working
After installation completes:
- Open browser and navigate to
https://nodinite.yourdomain.com - Verify the padlock icon appears in the address bar
- Check that HTTP redirects to HTTPS (try
http://nodinite.yourdomain.com)
New 7.x Nodinite v7: Add TLS to Existing HTTP Installation
Already installed Nodinite v7 with HTTP? You can add TLS/HTTPS security at any time by running uninstall and reinstall scripts. Your configuration, databases, and data are preserved - only the IIS bindings are updated. This process applies to:
- ✅ New v7 installations that were initially configured with HTTP
- ✅ Upgraded v6→v7 environments where TLS was disabled during migration
- ✅ Development environments being promoted to production
Tip
This is the same process used when re-enabling TLS after v6→v7 upgrade. The steps are identical regardless of when you decide to enable TLS.
Warning
What Changes After Enabling TLS:
- 🔄 All service URLs change from
http://tohttps://and port changes to 443 (or your custom HTTPS port)- 🔄 All agents installed locally on the IIS server will automatically use TLS endpoints
- 🔄 All web applications (Web Client, Web API, Log API) will use HTTPS bindings
- 📌 User bookmarks must be updated - share the new
https://URL with all users- 📌 External integrations must be updated - any systems calling Nodinite APIs need updated URLs
Prerequisites
Before enabling TLS:
- ✅ SSL/TLS certificate installed in IIS (see certificate installation instructions in the first scenario above)
- ✅ Certificate thumbprint copied from IIS
- ✅ DNS record configured and certificate allows it * Required for production. Your certificate must include the DNS name in CN or SAN. SNI (Server Name Indication) setting may be required depending on your IIS multi-site configuration.
- ✅ Access to Nodinite Portal with permission to edit your Environment
- ✅ Administrative access to the IIS server
- ✅ PowerShell 7 installed on the IIS server
Step-by-Step: Enable TLS on Existing v7 Installation
Step 1: Run Uninstall Script (Remove Old Bindings)
Important
You must run the old Uninstall script first to remove existing HTTP bindings. Do NOT use flags to remove setting files or databases. If you canot find it, download the ZIP again with old settings in the portal.
- Open PowerShell 7 with administrative privileges
- Navigate to the extracted folder
- Run the Uninstall script:
.\Nodinite7-%ENVIRONMENTNAME%-UnInstall.ps1
** ☠️ Do NOT include these flags: ☠️**
- ❌
-RemoveSettingFiles - ❌
-RemoveDatabases - ❌ Any other destructive flags
The script removes IIS bindings and Web Applications - it preserves all your data, configurations, and databases.
Verify Port Release
After the uninstall operation completes, verify that Windows has released the ports before proceeding with reinstallation:
Option 1: Check port status immediately
# Check for all Nodinite service ports (from Portal Allocated Ports)
# Default range: Web Client (443), Web API (40001-40002), Services (40003-40013)
netstat -ano|findstr ":443 :40001 :40002 :40003 :40004"
If any ports still show as LISTENING, note the Process ID (PID) in the rightmost column. You can wait for Windows to release them or manually stop the process if needed.
Note
The port numbers shown above are defaults. Check your Portal → Environment → Overview → Allocated Ports table for your actual port configuration. Common ports include:
- Web Client: 443 (HTTPS) or custom port
- Web API: 40001 (default)
- Log API: 40002 (default)
- Logging Service: 40003 (default)
- Monitoring Service: 40004 (default)
- Additional agent ports: 40005-40013 (Azure, Logic Apps, Database, File Folder, etc.)
Option 2: Wait for automatic release
Wait 2-3 minutes to allow Windows to fully release all allocated ports. This is the safest approach and prevents port binding conflicts during reinstallation.
Tip
If ports remain in use after several minutes, check for other applications (IIS sites, web servers) that might be using these ports.
Step 2: Update Environment Configuration in Portal
- Log in to the Nodinite Portal
- Navigate to your Customer → Environments
- Click Actions → Edit on your existing environment
- Navigate to the TLS tab
- Configure TLS settings:
| Setting | Value | Description |
|---|---|---|
| Hostname / Server Name Indication (SNI) | nodinite.yourdomain.com |
The fully qualified domain name (FQDN) that will use this TLS certificate (e.g., nodinite.yourdomain.com). Must match certificate CN or SAN. |
| Certificate Thumbprint (TLS) | 9b27c9d1939b821bb... |
TLS certificate thumbprint for secure validation. Copy from IIS Server Certificates. |
Example of the TLS tab configuration in Nodinite Portal.
Important
The thumbprint must match a certificate installed in IIS on the target server. To find your thumbprint:
- Open IIS Manager → Server Certificates
- Double-click your certificate
- Copy the thumbprint from the Details tab
Step 3: Update Web Client Port to 443
In the same Environment modal, navigate to the Basic tab
Change the Web Client port from your current HTTP port (e.g.,
40000) to 443Note
If you use a custom HTTPS port other than 443, enter that port instead.
Save the environment configuration
Step 4: Download Updated Installation Package
- After saving, close the Environment modal
- Click Actions → Download to download the updated installation package
- Extract the ZIP file to a temporary folder on your IIS server
- Unblock the files:
cd "C:\Path\To\Extracted Folder"
dir -r|unblock-file
Step 5: Run Install Script (Add HTTPS Bindings)
- In the same PowerShell 7 terminal (still with admin privileges)
- Run the Install script:
.\Nodinite7-%ENVIRONMENTNAME%-Installation.ps1
The script will:
- Create new IIS applications with HTTPS bindings on port 443
- Configure applications to use the certificate matching your thumbprint
- Set up proper authentication and security settings
Step 6: Verify HTTPS is Working
- Open a browser and navigate to
https://nodinite.yourdomain.com(or your configured hostname) - Verify the padlock icon appears in the address bar
- Confirm you can log in and access all Nodinite features
- Check that all services are running:
Tip
Experiencing slow page loads (CRL/OCSP revocation timeout) or 401 Unauthorized errors when accessing via the server's own hostname? See TLS Troubleshooting for diagnosis and solutions.
Step 7: Update Dependent Configurations
After enabling HTTPS, update any external systems or agents that connect to Nodinite. All configuration changes are made in the Nodinite Portal and automatically applied through the PowerShell installation scripts.
Update these endpoints:
- ✅ Alarm Plugins * Update webhook URLs to use
https:// - ✅ Pickup Log Events Service * Update Log API endpoint to use
https:// - ✅ Azure Logic Apps * Update webhook and API endpoints
- ✅ Monitoring Agents (if remote) * Update service endpoints
- ✅ End-user bookmarks * Share new HTTPS URL with users
- ✅ Firewall rules * Ensure port 443 is allowed (update from previous HTTP port if needed)
Note
If you use Non-Events Monitoring Agent, verify the Log View API URIs are still accessible via HTTPS.
Completion Checklist
Before considering the TLS migration complete:
- HTTPS works in browser (padlock visible)
- Can log in to Web Client via HTTPS
- All Core Services accessible via HTTPS
- Alarm plugins updated and tested
- Pickup Service updated and logging events
- End-users notified of new HTTPS URL
- Firewall rules updated (if needed)
- Old HTTP port closed/blocked (optional security hardening)
Development Certificates for Testing
For development and test environments needing HTTPS without a Certificate Authority, see the Development Certificates guide. It covers:
- Simple and production-quality
New-SelfSignedCertificatePowerShell scripts - Certificate storage in Personal Store vs Trusted Root Certification Authorities
- Manual trust configuration using Certificate Manager (
certlm.msc) or PowerShell - Certificate backup and recovery
Warning
Self-signed certificates are for development only. Do not use in production.
Next Steps
Related Topics
- Install Nodinite v7
- Post Installation Steps
- Updating from v6 to v7
- How to perform hardening on your Nodinite v6 installation (deprecated)
- Development Certificates
- TLS Troubleshooting
- HTTP Security Headers – HSTS, CSP, Permissions-Policy, Cache-Control
- Access Controls & Vendor Policy – Vendor zero-access, RBAC, NDA and 3rd-party data policy
- Key Management, Backup & Data Residency – NIST key lifecycle, backup encryption, GDPR compliance, media destruction
- Secret Management