Step 5: Configure TLS
Configure TLS before you download the installation package when the Environment needs HTTPS. The Portal values in this step are consumed by the installer so IIS bindings and service URLs are generated correctly.
When TLS Is Required
| Scenario | Requirement |
|---|---|
| OAuth 2.0 / OIDC | TLS is mandatory |
| Windows Authentication | TLS is strongly recommended |
TLS Prerequisites
- Valid certificate installed on the application server
- DNS record pointing to the server
- Thumbprint available for the certificate
- Firewall rules allowing inbound HTTPS traffic
Warning
Critical edge case on shared IIS servers: if you install Nodinite fresh and reuse a certificate that is already used by other IIS web sites, existing HTTPS bindings can be removed by the installer when those other sites use an HTTPS binding without both a host name and SNI enabled.
If this precondition is not fixed, the outcome is typically deterministic: those HTTPS bindings are removed and existing APIs or applications can become unavailable.
Example of an IIS HTTPS binding configuration that is unsafe to keep when reusing the same certificate during a shared-server Nodinite install (empty host name and SNI not enabled).
Required Mitigation on Shared IIS
Use one of the following mitigations before running the install script:
- Update every non-Nodinite IIS site that uses the same certificate so each HTTPS binding has both a host name and SNI enabled.
- Use a different certificate for Nodinite.
- Install Nodinite on another machine where this shared-binding condition does not exist.
If the existing sites already have host name and SNI enabled on their HTTPS bindings, Nodinite can co-exist on the same IIS server.
Example of the TLS tab where the HTTPS host name and certificate thumbprint are configured.
Portal Fields
| Field | Example | Description |
|---|---|---|
| Host / Domain | nodinite.yourdomain.com |
DNS name that must match the certificate |
| Certificate Thumbprint | 9b27c9d1939b821bb... |
Thumbprint copied from the certificate store or IIS |
Guidance
- Configure TLS before the binaries are downloaded.
- If you are using gMSA accounts, install the certificates in the LocalMachine store.
- All web applications share the TLS settings.
For full certificate preparation and IIS hardening details, use How to perform hardening.