We're updating some of our product names. K2 Five is now Nintex Automation. You may see both product names in our help pages while we make this change.

Certificate and Internet Requirements in K2

Carefully read this section to determine where and when you need K2 web sites and endpoints to be signed by a valid certificate and available on the internet.

Using a Certificate

K2 recommends using a certificate issued by a Certification Authority (CA) that is trusted by Windows, and that the same certificate is used for all K2 web sites and endpoints.

Keep in mind, however, that K2 generates and uses a self-signed certificate for web sites selected during installation that do not already have certificates.

Although you can use this self-signed certificate or a domain certificate, it is primarily for test scenarios. K2 highly recommends using a certificate issued by a trusted CA to avoid both browser and remote event receiver certificate errors.

SharePoint Online requires that the certificate associated with SharePoint remote event receiver endpoint in K2 (https://{K2WebSite}/SP15EventService/RemoteEventService.svc) be issued by a CA that is trusted by Windows.

Errors associated with SharePoint Online remote event receivers, including invalid certificates, may take up to 24 hours to appear in the SharePoint Online logs (if at all).

You must be aware of your requirements when choosing an SSL certificate. For example, a single wildcard certificate for *.domain.com, works for the following domains:

runtime.domain.com
designer.domain.com
apps.domain.com

However, because the wildcard certificate only covers one level of sub-domains, the following domains are not valid for the *.domain.com certificate:

data.runtime.domain.com
forms.designer.domain.com
app-123356.apps.domain.com

To avoid false-negative SSL warnings such as ERR_CERT_COMMON-NAME_INVALID in distributed or load-balanced environments, you may need to configure your certificates with Subject Alternate Names or use wildcard certificates. The specific configuration and certificates needed will depend on your environment’s configuration. Consult with your network security specialists to determine which certificates will be necessary in your environment.

General Certificate Information

Exposing K2 Sites on the Internet

The K2 web sites and SharePoint remote event receiver endpoints may need to be accessible on the internet depending on your scenario.

User Browser (Intranet Only): K2 web sites do not need to be internet-accessible when accessing those sites from within the company intranet or via VPN.
User Browser (Remote Access): K2 web sites do need to be internet-accessible when accessing these sites from outside the company intranet or VPN.
SharePoint Online Remote Event Receivers: The SharePoint remote event receiver endpoint in K2 (https://{K2WebSite}/SP15EventService/RemoteEventService.svc) must be internet-accessible when building event-based processes for SharePoint Online.

Scenario 1 (recommended as it is the most common)	Certificate Account: Local computer account Certificate Store: Personal
Scenario 2	Certificate Account: Local computer account Certificate Store: {something other than Personal}
Scenario 3	Certificate Account: User account Certificate Store: Personal
Scenario 4	Certificate Account: User account Certificate Store: {something other than Personal}

Certificate and Internet Requirements in K2

Using a Certificate

When are certificates required?

Generating Certificates

Installed Certificates

Storing Certificates

Using Certificates

Exposing K2 Sites on the Internet