Certificates

Last modified: December 13, 2023

1 Introduction

Certificates are used to authenticate users to apps. They can be used on both incoming and outgoing connections.

1.1 Incoming Connections

To connect to your Mendix Cloud application from the internet, Mendix provides a .mendixcloud.com or .mxapps.io domain. The certificate for this is managed by Mendix. If you want to set up your own domain name for a licensed app, you can configure custom domains.

In addition, you can restrict incoming traffic by requiring client certificates signed by a certificate authority of your choice. For more details on how to set this up, see How to Restrict Access for Incoming Requests.

1.2 Outgoing Connections

You may need to use certificates to set up connections from your Mendix Cloud application to third parties that require SSL/TLS. There are two possible scenarios for this:

  • A third party may require authentication via certificates (client certificates)
  • A third party may use a certificate that is signed by their own authority (certificate authorities)

2 Incoming – Certificates

Certificates for .mendixcloud.com and .mxapps.io are managed by Mendix and are automatically updated on a regular basis and without notice. This is part of Mendix’s regular operations and security posture.

Using certificates with a short validity limits the impact of misconfigured or compromised certificates, which can occasionally happen. The wider internet community has standardized on this approach for many years.

For situations where pinning is required, you can set up a custom domain where you are in full control of updating the certificate.

3 Outgoing – Client Certificates

For client certificates, only the Public-Key Cryptography Standard #12 (PKCS12) format is supported. Certificates are uploaded as a PKCS container that includes the following:

  • X.509 certificate
  • A private key
  • (Optionally) a certificate chain

Virtually all certificate formats can be converted to the PKCS12 format. For more information, see the following:

You can upload a PKCS12 file by following these steps:

  1. In the Developer Portal, go to the Deploy tab of your app’s Environments page. Click Details ( ) on the desired environment.

  2. Select the Network tab of an application environment.

  3. Below Outgoing Connections Certificates, click Add Client Certificate.

  4. Upload the client certificate as a PKCS12 (pfx) container.

  5. Enter the password to unlock the certificate container.

  6. If you are using a custom certificate when setting your Client certificate in your Call REST Service or Call Web Service action, set a Web Service Call Name and use it to pin the certificate by setting the call’s Client certificate identifier to the Web Service Call Name.

In the section Pin Client Certificate to Web Services, you can specify host names (for example, hello-there.com) or web service document names (for example, MyFirstModule.ConsumedWebService), indicating that this certificate should be used when contacting that host or calling that web service.

4 Outgoing – Certificate Authorities

Loading certificate authorities works much the same way, although they do not require authentication because they are public certificates.

To upload a certificate authority, follow these steps:

  1. In the Developer Portal, go to the Deploy tab of the Environments page, and click Details ( ) on the desired environment.

  2. Select the Network tab of an application environment.

  3. Below Outgoing Connections Certificates, click Add Authority.

  4. Upload a certificate authority in the PEM format.

If you run into any problems installing a client certificate or certificate authority, file a ticket with Mendix Support.

5 Read More