Certificates
1 Introduction
Certificates are used to authenticate users to apps. They can be used on both incoming and outgoing connections.
1.1 Incoming Connections
To connect to your Mendix Cloud application from the internet, Mendix provides a .mendixcloud.com
or .mxapps.io
domain. The certificate for this is managed by Mendix. If you want to set up your own domain name for a licensed app, you can configure custom domains.
In addition, you can restrict incoming traffic by requiring client certificates signed by a certificate authority of your choice. For more details on how to set this up, see How to Restrict Access for Incoming Requests.
1.2 Outgoing Connections
You may need to use certificates to set up connections from your Mendix Cloud application to third parties that require SSL/TLS. There are two possible scenarios for this:
- A third party may require authentication via certificates (client certificates)
- A third party may use a certificate that is signed by their own authority (certificate authorities)
2 Incoming – Certificates
Certificates for .mendixcloud.com
and .mxapps.io
are managed by Mendix and are automatically updated on a regular basis and without notice. This is part of Mendix’s regular operations and security posture.
Using certificates with a short validity limits the impact of misconfigured or compromised certificates, which can occasionally happen. The wider internet community has standardized on this approach for many years.
Doing so can interrupt your operations when Mendix updates these certificates.
Pinning a certificate bypasses the built-in certificate chains of your operating system or JVM, and is widely considered a bad practice.
For situations where pinning is required, you can set up a custom domain where you are in full control of updating the certificate.
3 Outgoing – Client Certificates
For client certificates, only the Public-Key Cryptography Standard #12 (PKCS12) format is supported. Certificates are uploaded as a PKCS container that includes the following:
- X.509 certificate
- A private key
- (Optionally) a certificate chain
Virtually all certificate formats can be converted to the PKCS12 format. For more information, see the following:
If you use OpenSSL version 3.x on Windows and you get the error “Could not open certificate container. Wrong password or corrupted file. Please try again.”, use the latest patch release of version 1.x. You can download the release on OpenSSL for Windows.
Another option is to use OpenSSL from within the Windows Subsystem for Linux to generate the certificate. To set this up, use the instructions Install Linux on Windows with WSL.
You can upload a PKCS12 file by following these steps:
-
In the Developer Portal, go to the Deploy tab of your app’s Environments page. Click Details () on the desired environment.
-
Select the Network tab of an application environment.
-
Below Outgoing Connections Certificates, click Add Client Certificate.
-
Upload the client certificate as a PKCS12 (pfx) container.
-
Enter the password to unlock the certificate container.
-
If you are using a custom certificate when setting your Client certificate in your Call REST Service or Call Web Service action, set a Web Service Call Name and use it to pin the certificate by setting the call’s Client certificate identifier to the Web Service Call Name.
In the section Pin Client Certificate to Web Services, you can specify host names (for example, hello-there.com
) or web service document names (for example, MyFirstModule.ConsumedWebService), indicating that this certificate should be used when contacting that host or calling that web service.
4 Outgoing – Certificate Authorities
Loading certificate authorities works much the same way, although they do not require authentication because they are public certificates.
To upload a certificate authority, follow these steps:
-
In the Developer Portal, go to the Deploy tab of the Environments page, and click Details () on the desired environment.
-
Select the Network tab of an application environment.
-
Below Outgoing Connections Certificates, click Add Authority.
-
Upload a certificate authority in the PEM format.
If you run into any problems installing a client certificate or certificate authority, file a ticket with Mendix Support.
5 Read More
Feedback
Was this page helpful?
Glad to hear it! Thank you for your response.
Sorry to hear that. Please tell us how we can improve.