Configuring SSL in mojoPortal

Summary

SSL encryption should be used to secure all content sent back and forth between the browser and the server.  To use SSL, you must have a certificate installed and configured on the server.  It is possible to generate your own SSL certificate or to obtain one from a trusted Certificate Authority.  Obtaining and installing an SSL certificate is beyond the scope of this document but there are plenty of resources on the web to help you with this.

If you have an SSL certificate installed and configured on your server, you should set the SSLIsAvailable setting in the user.config file to true. 

<add key="SSLIsAvailable" value="true" />

This key is what tells mojoPortal Content Management System that you have an SSL certificate installed and it will automatically cause the login, register and user profile pages to use and require SSL.  Additionally, you will now see an option on the Admin page to require all pages in the site to use SSL. If you check this box, SSL will be enforced on every page in the site.  If you leave the checkbox unchecked, you will see a setting on each page's page settings whether to require SSL for the page.  Thus, you have very granular control over which pages require encryption.

Notes

  • After mojoPortal 2.9, all pages will require SSL if SSLISAvailable is set to true. The setting in Site Settings will be visible and forced on.
  • If you enable this setting and there is no SSL certificate installed it will cause your site to be inaccessible, so do not enable this setting until you are sure you have installed and configured an SSL certificate.
  • If your mojoPortal installation is not a root site but is instead in a subfolder, to use SSL you will also need to add this to your user.config, otherwise it will redirect incorrectly when forcing SSL. 
    <add key="IsRunningInRootSite" value="false" />

Multi-Tenant Installations and SSL

If you have an installation of mojoPortal using Multi-Tenancy, there are some additional considerations for SSL. If you are using Folder Based Multi-Tenancy, all the sites will have the same domain name so the SSL certificate can work for all the sites, and no further configuration is needed.

If you are using Host Name Multi-Tenancy, the configuration will depend on whether the hostnames are all for the same domain like www.yourdomain.com, demo.yourdoamin.com, foo.yourdomain.com etc. In that case, if you have a wildcard SSL certificate for the domain then you can use the same SSL certificate for all sites and no further configuration is needed.

If your hostnames are all for different domains (like www.somedomain.com, www.someotherdomain.com, foo.somethirddomain.com) then it becomes more of a problem because only 1 SSL certificate can be bound to a given IP address on a given machine. So, if only one of the sites will use SSL you can enable it for a specific site based on the site id like this:

<add key="Site1-SSLIsAvailable" value="true" />

where 1 is the site id. This will enable SSL only on the site with Site ID 1. To add SSL for other sites you would need to configure additional IIS Web Sites with different IP addresses all pointing to the same installation files. Each IIS site would have a different IP address and a different SSL certificate bound to that IP address.

Created by Joe Audette on May 31, 2012
Last Modified by Joe Davis on Mar 16, 2023