Centralized Certificates

Introduction

This document describes how Mendix Admins can centrally manage SSL/TLS certificates for incoming connections using Certificate Management in Control Center.

Prerequisites

Before you proceed, ensure that:

• You are a Mendix Admin
• Basic knowledge of DNS (Domain Name System)
• Basic knowledge of SSL/TLS certificates:
  • What is an SSL/TLS certificate and what it is used for?
  • What is an intermediate certificate chain and what it is used for?
  • What is an SSL/TLS private key and what it is used for?
  • What is a certificate request and what it is used for?
• Basic knowledge of certificate authorities (such as GeoTrust, Thawte, Verisign, RapidSSL, GoDaddy, Comodo)

Uploading a Certificate

To upload a certificate, you need to have the following things prepared:

• An SSL/TLS certificate that is self-signed or signed by a certificate authority
• An intermediate certificate chain provided by a certificate authority
• An SSL/TLS private key

To upload the certificate, follow these steps:

1. Go to Certificate Management in Control Center.

2. Click Upload Certificate.

3. In the Upload Certificate wizard:

   1. Review the information in General Info, then click Next.
   2. In Upload, complete the following fields:
      • Description – A descriptive name for the certificate.
      • TLS Certificate – Add the signed certificate.
      • Intermediate Certificate Chain – Paste the chain provided by your certificate authority. While optional for modern browsers, this is required for programmatic access and service consumption (for example, OData services).
      • TLS Private Key – Paste the private key.

4. Click Save to upload the certificate.

   The SSL/TLS private key is stored securely in Mendix Cloud and is hidden after upload. It will not be available for download and cannot be retrieved by Mendix Support.

After the certificate is uploaded in Central Management, the certificate becomes visible to the Technical Contacts, who can then configure the custom domain at the application level. For details on how to do this, refer to Configuring a Custom Domain.

You can upload multiple certificates but be sure to use clear descriptions to easily identify each certificate.

Renewing a Certificate

Certificates expire and must be renewed before they expire. You can renew a centrally-managed certificate in one of the following ways:

• Upload a new certificate
• Update an existing certificate
• Replace an existing certificate

Method 1: Uploading a New Certificate

For an expiring or expired certificate, you can renew it by uploading a new certificate. For details, refer to Uploading a Certificate above.

After uploading, the Technical Contact can select the new certificate when configuring the custom domain.

Method 2: Updating an Existing Certificate

Follow these steps to update an existing certificate by editing it.

1. Go to Certificate Management in Control Center.
2. Click the More Options ( ) icon on the certificate of interest.
3. Select Edit.
4. Paste the new TLS Certificate.
5. Paste the Intermediate Certificate Chain.

Method 3: Replacing an Existing Certificate

Replacing a certificate allows you to renew it without downtime.

1. Follow the instructions in Uploading a Certificate above.
2. On the certificate to replace, click the More Options ( ) icon.
3. Click Replace.
4. In the Replace Certificate wizard that opens:
   1. Select the newly uploaded replacement certificate.
   2. Click Replace.

All custom domains previously using the old certificate are automatically updated to use the new certificate.

Read More

• Certificates
• Certificate Management
• Custom Domains