From 67c803dc373b3d8e7d08fafe647ce6a028cb52dc Mon Sep 17 00:00:00 2001 From: Olufunke Moronfolu Date: Fri, 23 Jan 2026 13:49:02 +0100 Subject: [PATCH 1/2] Landscape SSL certs --- .../security/certificate-management.md | 61 ++++++ .../certificates/_index.md | 4 +- .../application-level-certificates.md | 182 +++++++++++++++++ .../certificates/central-certificates.md | 115 +++++++++++ .../mendix-cloud-deploy/custom-domains.md | 183 +++--------------- .../mendix-cloud-deploy/environments.md | 20 +- .../docs/releasenotes/control-center/2026.md | 6 + 7 files changed, 408 insertions(+), 163 deletions(-) create mode 100644 content/en/docs/control-center/security/certificate-management.md create mode 100644 content/en/docs/deployment/mendix-cloud-deploy/certificates/application-level-certificates.md create mode 100644 content/en/docs/deployment/mendix-cloud-deploy/certificates/central-certificates.md diff --git a/content/en/docs/control-center/security/certificate-management.md b/content/en/docs/control-center/security/certificate-management.md new file mode 100644 index 00000000000..46150774455 --- /dev/null +++ b/content/en/docs/control-center/security/certificate-management.md @@ -0,0 +1,61 @@ +--- +title: "Certificate Management" +linktitle: "Certificate Management" +url: /control-center/certificate-management/ +description: "Describes the Certificate Management page in Mendix Control Center." +weight: 40 +--- + +## Introduction + +In Mendix Cloud, SSL/TLS certificates enable secure HTTPS communication for incoming connections to applications that use custom domains. + +The **Certificate Management** page provides Mendix Admins with a centralized view of all company-wide certificates. From this page, you can upload, replace, renew, and monitor certificates that can be reused across multiple applications and environments. + +After a certificate is added: + +* Technical Contacts can select it when [configuring custom domains](/developerportal/deploy/custom-domains/#Configuring) at the application level +* The certificate is shown as centrally managed in the [Custom Domains](/developerportal/deploy/environments/#custom-domains) tab of the environment’s **Cloud Settings** +* The same certificate can be reused across multiple applications and environments, provided the domain names are covered by the certificate + +## Certificate Summary + +The **Certificate Management** page displays a summary of all configured certificates, including: + +* Certificates currently in use +* Certificates not in use +* Expired certificates +* Certificates that are about to expire + +This overview helps you proactively manage certificate renewals and avoid service interruptions. + +## Certificate Details + +Each configured certificate is shown in a table with the following fields: + +* **Description** – A descriptive name for the certificate. Use clear and meaningful names to make certificates easy to identify. +* **Expiration date** – The date and time the certificate expires +* **Number of custom domains** – The number of custom domains currently using the certificate +* **Status** – The current state of the certificate: + * **Valid** – Currently valid and in use + * **Expires soon** – Certificate expiring soon + * **Expired** – Certificate has expired + * **Upcoming** – Certificate is not valid; the start date is in the future + + You can filter certificates by these statuses to identify certificates that require renewal or deletion. + +* **More options** – Actions available per certificate: + * **Edit** + * **Replace** + * **Details** + * **Delete** + {{% alert color="info" %}}You cannot delete a certificate that is currently in use. + {{% /alert %}} + +For detailed information about how Mendix Admins can use the **Certificate Management** page to upload, configure and manage centralized certificates, refer to [Managing Centralized Certificates](/developerportal/deploy/certificates/centralized-certificates/). + +## Read More + +* [Certificates](/developerportal/deploy/certificates/) +* [Application-Level Certificates](/developerportal/deploy/application-level-certificates/) +* [Custom Domains](/developerportal/deploy/custom-domains/) \ No newline at end of file diff --git a/content/en/docs/deployment/mendix-cloud-deploy/certificates/_index.md b/content/en/docs/deployment/mendix-cloud-deploy/certificates/_index.md index f6c0d5d7361..0972cfdeb15 100644 --- a/content/en/docs/deployment/mendix-cloud-deploy/certificates/_index.md +++ b/content/en/docs/deployment/mendix-cloud-deploy/certificates/_index.md @@ -11,7 +11,9 @@ aliases: ## Introduction -Certificates are used to authenticate users to apps. They can be used on both incoming and outgoing connections. +Certificates are used to authenticate users to apps and secure communication. In Mendix Cloud, certificates can be used for both incoming and outgoing connections. + +Incoming connection certificates can be managed either at the [application level](/developerportal/deploy/application-level-certificates/) by Technical Contacts, or centrally by Mendix Admins via [Certificate Management](/control-center/certificate-management/). Outgoing connection certificates are solely managed at the application level. {{% alert color="info" %}} Custom certificates cannot be configured for Free Apps. diff --git a/content/en/docs/deployment/mendix-cloud-deploy/certificates/application-level-certificates.md b/content/en/docs/deployment/mendix-cloud-deploy/certificates/application-level-certificates.md new file mode 100644 index 00000000000..bb9a7bfc4c0 --- /dev/null +++ b/content/en/docs/deployment/mendix-cloud-deploy/certificates/application-level-certificates.md @@ -0,0 +1,182 @@ +--- +title: "Application-Level Certificates" +linktitle: "Application-Level Certificates" +url: /developerportal/deploy/application-level-certificates/ +weight: 80 +description: "Describe how Technical Contacts can configure and manage application-level (local) SSL/TLS certificates in Mendix Cloud." + +#To update these screenshots, you can log in with credentials detailed in How to Update Screenshots Using Team Apps. +#If moving or renaming this doc file, implement a temporary redirect and let the respective team know they should update the URL in the product. See Mapping to Products for more details. +#Linked from Mendix Portal > Environments > Cloud Settings > Custom Domains +--- + +## Introduction + +Mendix Cloud supports adding custom domains, such as `https://myapp.mycompany.com`, to your application environments. Each custom domain must be secured with an SSL/TLS certificate to enable HTTPS connections. + +This document describes how Technical Contacts can configure and manage application-level (local) certificates for their apps. + +{{% alert color="info" %}} +This page covers incoming connections for application-level certificates. For centrally-managed certificates, refer to [Centralized Certificates](/developerportal/deploy/certificates/centralized-certificates/). For outgoing connection certificates, refer to [Outgoing Certificates](/developerportal/deploy/certificates/#outgoing-client-certificates). +{{% /alert %}} + +This how-to explains how to do the following: + +* Generate a certificate request (CSR) +* Upload an application-level certificate to Mendix Cloud +* Renew an application-level certificate + +## Prerequisites + +Before starting this how-to, you need to have the following prerequisites: + +* Basic knowledge of DNS (Domain Name System) +* Basic knowledge of SSL/TLS certificates: + * What is an SSL/TLS certificate and what it is used for? + * What is an intermediate certificate chain and what it is used for? + * What is an SSL/TLS private key and what it is used for? + * What is a certificate request and what it is used for? +* Basic knowledge of certificate authorities (such as GeoTrust, Thawte, Verisign, RapidSSL, GoDaddy, Comodo) + +{{% alert color="info" %}} +Custom certificates cannot be configured for Free Apps. +{{% /alert %}} + +## Managing Custom Domain Certificates in Mendix Cloud + +A Mendix application can have multiple certificates. To manage application-level certificates, follow these steps: + +1. From [Apps](https://sprintr.home.mendix.com), go to the **Environments** page of your app. +2. Click **Cloud Settings** ({{< icon name="settings-slider-1" >}}) from any of the [available tabs](/developerportal/deploy/environments/#available-tabs) to open the **Manage Cloud Settings** page. +3. Switch to the **Custom Domains** tab. + +If you already have a signed SSL/TLS certificate, skip to [Uploading Your Own Custom Domain Certificate](#Uploading) below. + +## Obtaining a New Signed Certificate + +If you do not have an SSL/TLS certificate, you can order one from a certificate authority (such as GeoTrust, Thawte, Verisign, RapidSSL, GoDaddy, or Comodo). To get a signed SSL/TLS certificate from a certificate authority, you need to provide a CSR. + +A private SSL/TLS key and a CSR tied to that key can be created in Mendix Cloud for you. + +### Generating a Certificate Request {#Generating} + +{{% alert color="info" %}} +When you generate a certificate request at the application level, the resulting certificate is managed locally and applies only to that application. Therefore, Mendix recommends that you do not use a wildcard (`*`) in the domain for which you are requesting a certificate. See [Can You Create a `*.mycompany.com` Wildcard Certificate?](#wildcard), below, for more information. +{{% /alert %}} + +To create a CSR and an RSA (Rivest–Shamir–Adleman) encryption key, follow these steps: + +1. Click **Request Certificate** in the **Custom Domains** tab. +2. In the **Request Certificate** wizard: + 1. Review the information in **General Info**, then click **Next**. + 2. Complete the required fields in **Generate**, then click **Next**. + 3. In **PEM Format**, an SSL/TLS private key and a certificate request are generated and displayed in PEM (Privacy-Enhanced Mail) format. + + {{< figure src="/attachments/deployment/mendix-cloud-deploy/custom-domains/pem-format.png" >}} + + {{% alert color="info" %}}The SSL/TLS private key will be hidden after you upload it. To keep the key secure, it will be stored in Mendix Cloud's secure keystore; it will not be available for download, and it cannot be obtained by Mendix Support.{{% /alert %}} + +Once the CSR is generated, its name appears in the table on the **Custom Domains** tab. In the **Certificate Description** column, the name you provided during creation is followed by **Pending Customer Feedback** until the CSR is signed. The **Local/Central** column indicates whether the certificate is managed locally at the application level or centrally; in this case, it will display **Local**. + +You can now go to your certificate authority to get a signed SSL/TLS certificate. + +### Uploading a Signed Certificate{#Upload} + +Once you have a signed SSL/TLS certificate, you can upload it at the application-level by following these steps: + +1. Switch to the **Custom Domains** tab. + +2. Click the **More Options** ({{% icon name="three-dots-menu-horizontal" %}}) icon on the CSR of interest. + +3. Select **Details**. + +4. Click **Upload Signed Certificate**. + +5. Add a **Description** of your certificate. + +6. Paste the signed **TLS Certificate** (in PEM format). + +7. Paste an **Intermediate Certificate Chain**. While optional for modern browsers, it is mandatory for programmatic access and service consumption (like [OData services](/refguide/consumed-odata-services/)). The intermediate certificate chain is provided by your certificate authority. + + {{< figure src="/attachments/deployment/mendix-cloud-deploy/custom-domains/signed-certificate.png" width=80% class="no-border" >}} + +8. Click **Save** to complete the process. + +{{% alert color="warning" %}} +The intermediate certificates of the main certificate authorities are included in the built-in CA databases of modern browsers. Therefore, you do not need to include an intermediate certificate to serve your website through SSL/TLS for users with modern browsers. + +However, intermediate certificate chains are mandatory for programmatic access and [service consumption](https://www.mendix.com/evaluation-guide/app-lifecycle/develop/integration/service-exposure/), and missing intermediate certificates will cause service consumption failures even when browser access works normally. Tools such as curl, programming languages, and operating systems do not automatically resolve missing intermediate certificates. + +You cannot predict how your users will attempt to connect to your website, and not including an intermediate certificate may result in connection issues for some users. To this end, Mendix recommends always including the intermediate certificate chain to ensure reliable connectivity for all use cases. +{{% /alert %}} + +You can now configure your custom domain. See [Configuring a Custom Domain](/developerportal/deploy/custom-domains/#Configuring). + +{{% alert color="info" %}} +After uploading, always verify your certificate using an SSL checker to identify any missing intermediate certificates before they cause service disruptions. +{{% /alert %}} + +## Uploading Your Own Custom Domain Certificate{#Uploading} + +To upload an application-level custom domain certificate, you need to have the following prepared: + +* An SSL/TLS certificate that is self-signed or signed by your certificate authority +* An intermediate certificate chain provided by your certificate authority +* An SSL/TLS private key + +To upload the custom domain certificate, follow these steps: + +1. Click **Upload Certificate** in the **Custom Domains** tab. +2. In the **Upload Certificate** wizard: + 1. Review the information in **General Info**, then click **Next**. + 2. Complete the required fields in **Upload**: + * Add a **Description** for the certificate. + * Paste the signed **TLS Certificate**. + * Paste an **Intermediate Certificate Chain**. While optional for modern browsers, it is mandatory for programmatic access and service consumption (like [OData services](/refguide/consumed-odata-services/)). The intermediate certificate chain is provided by your certificate authority. + * Paste the **TLS Private Key**. + +3. Click **Save** to upload your new custom domain certificate to Mendix Cloud automatically. + + {{% alert color="info" %}}The SSL/TLS private key will be hidden after you upload it. To keep the key secure, it will be stored in Mendix Cloud's secure keystore; it will not be available for download, and it cannot be obtained by Mendix Support.{{% /alert %}} + +Once the certificate is uploaded, you can configure your custom domain. For instructions, refer to [Configuring a Custom Domain](/developerportal/deploy/custom-domains/#Configuring). + +You can add as many certificates as you need. Each certificate will be listed with the description you gave it. Make sure to give them meaningful names so that you can identify them easily. + +## Renewing a Custom Domain Certificate{#method-2-renewing-by-updating-an-existing-custom-domain-certificate} + +Custom domain certificates have an expiry date. There are two methods for renewing an application-level custom domain certificate that is about to expire: + +* Create a new custom domain certificate (recommended) + +* Update an existing custom domain certificate + +### Method 1: Creating a New Custom Domain Certificate (Recommended) + +You can handle an expiring domain certificate by replacing it with a new one. You can do this in one of two ways: + +* Generate a new certificate request (for more information, see [Generating a Certificate Request for Your Custom Domain](#Generating)) + +* Upload a new custom domain certificate (for more information, see [Uploading Your Own Custom Domain Certificate](#Uploading)) + +You can now select the new certificate for your custom domain (for more information, see [Configuring a Custom Domain](/developerportal/deploy/custom-domains/#Configuring)). + +{{% alert color="info" %}} +If you are rotating a certificate, you do not need to remove the current domain configuration when replacing the certificate. Selecting a new certificate for an existing domain will reconfigure the existing domain with the selected certificate. +{{% /alert %}} + +### Method 2: Renewing by Updating an Existing Custom Domain Certificate + +You can do this by editing an existing application-level custom domain certificate. To update an existing custom domain certificate, follow these steps: + +1. Click the **More Options** ({{% icon name="three-dots-menu-horizontal" %}}) icon on the CSR of interest. +2. Select **Edit**. +3. Paste the signed **TLS Certificate**. +4. Paste an **Intermediate Certificate Chain**. While optional for modern browsers, it is mandatory for programmatic access and service consumption (like [OData services](/refguide/consumed-odata-services/)). The intermediate certificate chain is provided by your certificate authority. + +{{% alert color="warning" %}} +To edit an existing custom domain certificate, you need the following: + +* access to the certificate request that you created for the current certificate +* [transport rights](/developerportal/deploy/node-permissions/#transport-rights) for all environments of the application +{{% /alert %}} \ No newline at end of file diff --git a/content/en/docs/deployment/mendix-cloud-deploy/certificates/central-certificates.md b/content/en/docs/deployment/mendix-cloud-deploy/certificates/central-certificates.md new file mode 100644 index 00000000000..7445b4a5ac2 --- /dev/null +++ b/content/en/docs/deployment/mendix-cloud-deploy/certificates/central-certificates.md @@ -0,0 +1,115 @@ +--- +title: "Centralized Certificates" +linktitle: "Centralized Certificates" +url: /developerportal/deploy/certificates/centralized-certificates/ +description: "Learn how Mendix Admins centrally manage SSL/TLS certificates for custom domains in Mendix Control Center, including uploading, renewing, replacing, and monitoring certificate status." +weight: 40 +--- + +## Introduction + +This document describes how Mendix Admins can centrally manage SSL/TLS certificates for [incoming connections](/developerportal/deploy/certificates/#incoming-connections) using [Certificate Management](/control-center/certificate-management/) in Control Center. + +{{% alert color="info" %}} +This page covers incoming connections for centrally-managed certificates. For application-level certificates, refer to [Application-Level Certificates](/developerportal/deploy/application-level-certificates/). For outgoing connection certificates, refer to [Outgoing Certificates](/developerportal/deploy/certificates/#outgoing-client-certificates). +{{% /alert %}} + +## Prerequisites + +Before you proceed, ensure that: + +* You are a [Mendix Admin](/control-center/mendix-admins-page/) +* Basic knowledge of DNS (Domain Name System) +* Basic knowledge of SSL/TLS certificates: + * What is an SSL/TLS certificate and what it is used for? + * What is an intermediate certificate chain and what it is used for? + * What is an SSL/TLS private key and what it is used for? + * What is a certificate request and what it is used for? +* Basic knowledge of certificate authorities (such as GeoTrust, Thawte, Verisign, RapidSSL, GoDaddy, Comodo) + +{{% alert color="info" %}} +Custom certificates cannot be configured for Free Apps. +{{% /alert %}} + +## Uploading a Certificate{#uploading-central-certificate} + +To upload a certificate, you need to have the following things prepared: + +* An SSL/TLS certificate that is self-signed or signed by a certificate authority +* An intermediate certificate chain provided by a certificate authority +* An SSL/TLS private key + +To upload the certificate, follow these steps: + +1. Go to **Certificate Management** in [Control Center](https://controlcenter.mendix.com/p/admin/apps). +2. Click **Upload Certificate.** +3. In the **Upload Certificate** wizard: + 1. Review the information in **General Info**, then click **Next**. + 2. In **Upload**, complete the following fields: + * **Description** – A descriptive name for the certificate. + * **TLS Certificate** – Add the signed certificate. + * **Intermediate Certificate Chain** – Paste the chain provided by your certificate authority. While optional for modern browsers, this is required for programmatic access and service consumption (for example, [OData services](/refguide/consumed-odata-services/)). + * **TLS Private Key** – Paste the private key. + +4. Click **Save** to upload the certificate. + + {{% alert color="info" %}} The SSL/TLS private key is stored securely in Mendix Cloud and is hidden after upload. It will not be available for download and cannot be retrieved by Mendix Support. {{% /alert %}} + +After the certificate is uploaded in **Central Management**, the certificate becomes visible to the Technical Contacts, who can then configure the custom domain at the application level. For details on how to do this, refer to [Configuring a Custom Domain](/developerportal/deploy/custom-domains/#Configuring). + +You can upload multiple certificates but be sure to use clear descriptions to easily identify each certificate. + +{{% alert color="info" %}} +After uploading, always verify your certificate using an SSL checker to identify any missing intermediate certificates before they cause service disruptions. +{{% /alert %}} + +## Renewing a Certificate{#renewing-central-certificate} + +Certificates expire and must be renewed before they expire. You can renew a centrally-managed certificate in one of the following ways: + +* Upload a new certificate +* Update an existing certificate +* Replace an existing certificate + +### Method 1: Uploading a New Certificate{#uploading-new-central-certificate} + +For an expiring or expired certificate, you can renew it by uploading a new certificate. For details, refer to [Uploading a Certificate](#uploading-central-certificate) above. + +After uploading, the Technical Contact can select the new certificate when [configuring the custom domain](/developerportal/deploy/custom-domains/#Configuring). + +{{% alert color="info" %}} +If you are rotating a certificate, you do not need to remove the current domain configuration when replacing the certificate. Selecting a new certificate for an existing domain will reconfigure the existing domain with the selected certificate. +{{% /alert %}} + +### Method 2: Updating an Existing Certificate{#updating-existing-central-certificate} + +Follow these steps to update an existing certificate by editing it. + +1. Go to **Certificate Management** in [Control Center](https://controlcenter.mendix.com/p/admin/apps). +2. Click the **More Options** ({{% icon name="three-dots-menu-horizontal" %}}) icon on the certificate of interest. +3. Select **Edit**. +4. Paste the new **TLS Certificate**. +5. Paste the **Intermediate Certificate Chain**. + +### Method 3: Replacing an Existing Certificate{#replacing-existing-central-certificate} + +Replacing a certificate allows you to renew it without downtime. + +1. Follow the instructions in [Uploading a Certificate](#uploading-central-certificate) above. +2. On the certificate to replace, click the **More Options** ({{% icon name="three-dots-menu-horizontal" %}}) icon. +3. Click **Replace**. +4. In the **Replace Certificate** wizard that opens: + 1. Select the newly uploaded replacement certificate. + 2. Click **Replace**. + +All custom domains previously using the old certificate are automatically updated to use the new certificate. + +{{% alert color="info" %}} +The replacement certificate must have the same common name as the certificate it replaces. +{{% /alert %}} + +## Read More + +* [Certificates](/developerportal/deploy/certificates/) +* [Certificate Management](/control-center/certificate-management/) +* [Custom Domains](/developerportal/deploy/custom-domains/) \ No newline at end of file diff --git a/content/en/docs/deployment/mendix-cloud-deploy/custom-domains.md b/content/en/docs/deployment/mendix-cloud-deploy/custom-domains.md index 77fe5c6be57..fbe87e1c636 100644 --- a/content/en/docs/deployment/mendix-cloud-deploy/custom-domains.md +++ b/content/en/docs/deployment/mendix-cloud-deploy/custom-domains.md @@ -2,7 +2,7 @@ title: "Custom Domains" url: /developerportal/deploy/custom-domains/ weight: 80 -description: "How to configure custom domains as well as generate, upload, and renew certificates in Mendix." +description: "How Technical Contacts configure custom domains in Mendix Cloud." aliases: - /mendixcloud/custom-domains.html - /howtogeneral/mendixcloud/custom-domains.html @@ -15,17 +15,8 @@ aliases: ## Introduction -Mendix Cloud supports adding custom domains such as `https://myapp.mycompany.com/` to your environments. Because Mendix Cloud only allows HTTPS connections, you have to provide a custom domain certificate (an SSL/TLS certificate). This how-to walks through the process. - -{{% alert color="info" %}}This page describes certificates for incoming connections. For information on setting up certificates for outgoing connections, see [Certificates](/developerportal/deploy/certificates/). -{{% /alert %}} - -This how-to explains how to do the following: - -* Generate a certificate request for your custom domain -* Upload a custom domain certificate to Mendix Cloud -* Renew a custom domain certificate -* Configure a custom domain for your environment +Mendix Cloud supports adding custom domains, such as `https://myapp.mycompany.com`, to your application environments. +This document describes how Technical Contacts can configure custom domains for applications on Mendix Cloud. ## Prerequisites @@ -34,13 +25,8 @@ This how-to explains how to do the following: Before starting this how-to, you need to have the following prerequisites: * Basic knowledge of DNS (Domain Name System) -* Basic knowledge of SSL/TLS certificates: - * What is an SSL/TLS certificate and what it is used for? - * What is an intermediate certificate chain and what it is used for? - * What is an SSL/TLS private key and what it is used for? - * What is a certificate request and what it is used for? -* Basic knowledge of certificate authorities (such as GeoTrust, Thawte, Verisign, RapidSSL, GoDaddy, Comodo) -* A licensed node that you have [transport rights](/developerportal/deploy/node-permissions/#transport-rights) to +* A licensed node for which you have [transport rights](/developerportal/deploy/node-permissions/#transport-rights) +* A certificate must have been uploaded either at the [application level](/developerportal/deploy/application-level-certificates/) by the Technical Contact or [centrally](/developerportal/deploy/certificates/centralized-certificates/) by the Mendix Admin. {{% alert color="info" %}} Custom domains can be added only to licensed apps. You cannot add custom domains to Free Apps. @@ -62,9 +48,7 @@ It is not possible to create a CNAME record for an apex/naked domain (meaning, a ## Managing Custom Domains in Mendix Cloud -Custom domain certificates (or just "certificates") are managed at the application level; in contrast, custom domains are managed per environment. - -You can have more than one certificate for an application. For example, when your certificate expires, you can upload a new certificate next to your old certificate. +While custom domain certificates (or just "certificates") can be managed centrally or at the application level, custom domains are mainly managed per environment. You can choose which certificate to use when you configure a custom domain for an environment (test, acceptance, or production). @@ -76,140 +60,9 @@ To manage custom domains, follow these steps: 2. Click **Cloud Settings** ({{< icon name="settings-slider-1" >}}) from any of the [available tabs](/developerportal/deploy/environments/#available-tabs) to open the **Manage Cloud Settings** page. 3. Switch to the **Custom Domains** tab. -If you already have a signed SSL/TLS certificate, skip to [Uploading Your Own Custom Domain Certificate](#Uploading) below. - -## Obtaining a New Signed Certificate - -If you do not have an SSL/TLS certificate, you can order one from a certificate authority (such as GeoTrust, Thawte, Verisign, RapidSSL, GoDaddy, or Comodo). To get a signed SSL/TLS certificate from a certificate authority, you need to provide a certificate signing request (CSR). - -A private SSL/TLS key and a CSR tied to that key can be created in Mendix Cloud for you. - -### Generating a Certificate Request for your Custom Domain{#Generating} - -{{% alert color="info" %}} -Certificates are applied to a single app. Therefore, Mendix recommends that you do not use a wildcard (`*`) in the domain for which you are requesting a certificate. See [Can You Create a `*.mycompany.com` Wildcard Certificate?](#wildcard), below, for more information. -{{% /alert %}} - -To create a CSR and an RSA (Rivest–Shamir–Adleman) encryption key, follow these steps: - -1. Click **Request Certificate** in the **Custom Domains** tab. -2. In the **Request Certificate** wizard: - 1. Review the information in **General Info**, then click **Next**. - 2. Complete the required fields in **Generate**, then click **Next**. - 3. In **PEM Format**, an SSL/TLS private key and a certificate request are generated and displayed in PEM (Privacy-Enhanced Mail) format. - - {{< figure src="/attachments/deployment/mendix-cloud-deploy/custom-domains/pem-format.png" >}} - - {{% alert color="info" %}}The SSL/TLS private key will be hidden after you upload it. To keep the key secure, it will be stored in Mendix Cloud's secure keystore; it will not be available for download, and it cannot be obtained by Mendix Support.{{% /alert %}} - -After the CSR is generated successfully, the CSR name appears in the table on the **Custom Domains** tab. In the **Certificate Description** column, the name you provided during creation is followed by **Pending Customer Feedback**. This suffix remains until the CSR is signed with a certificate. The **Local/Central** column also indicates whether the generated certificate is managed locally at the app level or centrally. - -You can now go to your certificate authority to get a signed SSL/TLS certificate. - -### Uploading a Signed Certificate{#Upload} - -Once you have a signed SSL/TLS certificate, you can upload it by following these steps: - -1. Switch to the **Custom Domains** tab. - -2. Click the **More Options** ({{% icon name="three-dots-menu-horizontal" %}}) icon on the CSR of interest. - -3. Select **Details**. - -4. Click **Upload Signed Certificate**. - -5. Add a **Description** of your certificate. - -6. Paste the signed **TLS Certificate** (in PEM format). - -7. Paste an **Intermediate Certificate Chain**. While optional for modern browsers, it is mandatory for programmatic access and service consumption (like [OData services](/refguide/consumed-odata-services/)). The intermediate certificate chain is provided by your certificate authority. - - {{< figure src="/attachments/deployment/mendix-cloud-deploy/custom-domains/signed-certificate.png" width=80% class="no-border" >}} - -8. Click **Save** to complete the process. - -{{% alert color="warning" %}} -The intermediate certificates of the main certificate authorities are included in the built-in CA databases of modern browsers. Therefore, you do not need to include an intermediate certificate to serve your website through SSL/TLS for users with modern browsers. - -However, intermediate certificate chains are mandatory for programmatic access and [service consumption](https://www.mendix.com/evaluation-guide/app-lifecycle/develop/integration/service-exposure/), and missing intermediate certificates will cause service consumption failures even when browser access works normally. Tools such as curl, programming languages, and operating systems do not automatically resolve missing intermediate certificates. - -You cannot predict how your users will attempt to connect to your website, and not including an intermediate certificate may result in connection issues for some users. To this end, Mendix recommends always including the intermediate certificate chain to ensure reliable connectivity for all use cases. -{{% /alert %}} - -You can now configure your custom domain. See [Configuring a Custom Domain](#Configuring), below. - -{{% alert color="info" %}} -After uploading, always verify your certificate using an SSL checker to identify any missing intermediate certificates before they cause service disruptions. -{{% /alert %}} - -## Uploading Your Own Custom Domain Certificate{#Uploading} - -To upload a custom domain certificate, you need to have the following things prepared: - -* An SSL/TLS certificate that is self-signed or signed by your certificate authority -* An intermediate certificate chain provided by your certificate authority -* An SSL/TLS private key - -To upload the custom domain certificate, follow these steps: - -1. Click **Upload Certificate** in the **Custom Domains** tab. -2. In the **Upload Certificate** wizard: - 1. Review the information in **General Info**, then click **Next**. - 2. Complete the required fields in **Upload**: - * Add a **Description** for the certificate. - * Paste the signed **TLS Certificate**. - * Paste an **Intermediate Certificate Chain**. While optional for modern browsers, it is mandatory for programmatic access and service consumption (like [OData services](/refguide/consumed-odata-services/)). The intermediate certificate chain is provided by your certificate authority. - * Paste the **TLS Private Key**. - -3. Click **Save** to upload your new custom domain certificate to Mendix Cloud automatically. - - {{% alert color="info" %}}The SSL/TLS private key will be hidden after you upload it. To keep the key secure, it will be stored in Mendix Cloud's secure keystore; it will not be available for download, and it cannot be obtained by Mendix Support.{{% /alert %}} - -You can now configure your custom domain. For details, see [Configuring a Custom Domain](#Configuring), below. - -You can add as many certificates as you need. Each certificate will be listed with the description you gave it. Make sure to give them meaningful names so that you can identify them easily. - -## Renewing a Custom Domain Certificate - -Custom domain certificates have an expiry date. There are two methods for renewing a custom domain certificate that is about to expire: - -* Create a new custom domain certificate (recommended) - -* Update an existing custom domain certificate - -### Method 1: Creating a New Custom Domain Certificate (Recommended) - -You can handle an expiring domain certificate by replacing it with a new one. You can do this in one of two ways: - -* Generate a new certificate request (for more information, see [Generating a Certificate Request for Your Custom Domain](#Generating)) - -* Upload a new custom domain certificate (for more information, see [Uploading Your Own Custom Domain Certificate](#Uploading)) - -You can now select the new certificate for your custom domain (for more information, see [Configuring a Custom Domain](#Configuring)), below. - -{{% alert color="info" %}} -If you are rotating a certificate, you do not need to remove the current domain configuration when replacing the certificate. Selecting a new certificate for an existing domain will reconfigure the existing domain with the selected certificate. -{{% /alert %}} - -### Method 2: Renewing by Updating an Existing Custom Domain Certificate - -You can do this by editing an existing custom domain certificate. To update an existing custom domain certificate, follow these steps: - -1. Click the **More Options** ({{% icon name="three-dots-menu-horizontal" %}}) icon on the CSR of interest. -2. Select **Edit**. -3. Paste the signed **TLS Certificate**. -4. Paste an **Intermediate Certificate Chain**. While optional for modern browsers, it is mandatory for programmatic access and service consumption (like [OData services](/refguide/consumed-odata-services/)). The intermediate certificate chain is provided by your certificate authority. - -{{% alert color="warning" %}} -To edit an existing custom domain certificate, you need the following: - -* access to the certificate request that you created for the current certificate -* [transport rights](/developerportal/deploy/node-permissions/#transport-rights) for all environments of the application -{{% /alert %}} - ## Configuring a Custom Domain {#Configuring} -Once a custom domain certificate has been uploaded, you can configure a custom domain for one of your application environments. +Once a custom domain certificate has been uploaded, you can configure the custom domain for one of your application environments. To configure a custom domain for your application environment, follow these steps: @@ -235,17 +88,22 @@ Make sure you have configured a CNAME record for your custom domain with your do ### Can You Create a `*.mycompany.com` Wildcard Certificate? {#wildcard} -Yes. However, when you create the certificate request via Mendix Cloud, you will only be able to use the wildcard certificate for the environments of a single app. This is because the private key is stored securely and is not accessible to you or Mendix Support, so you will not be able to reuse it in other apps. +Yes. For application-level certificates, a wildcard certificate can only be used within the environments of a single app. This is because the private key is stored securely and cannot be accessed outside the app. -If you have your own custom domain certificate, you can upload it to all of your apps and use it for all the environments of all of your apps. +To reuse a wildcard certificate across multiple apps or environments, Mendix Admins can create a central certificate in [Certificate Management](/control-center/certificate-management/). Central certificates can then be selected by Technical Contacts across different apps and environments. -You can select the same wildcard certificate per environment by using it with different subdomains. For example, `test.mycompany.com`, `accp.mycompany.com`, and `app.mycompany.com`. +Technical Contacts can select the same wildcard certificate for different environments of the same app by using it with different subdomains. For example, `test.mycompany.com`, `accp.mycompany.com`, and `app.mycompany.com`. ### How Do You Construct an Intermediate Certificate Chain Properly? -Your certificate is signed by the certificate authority (CA). They sign your certificate with their intermediate certificate, rather than directly with the root certificate. Their intermediate certificate is signed with their own root certificate. +Your certificate is signed by a certificate authority (CA) using the CA's intermediate certificate. The intermediate certificate is signed with the CA’s root certificate. -To reach the root certificate, you must link your certificate via the intermediate certificate chain, which is usually just one intermediate certificate. Occasionally, a CA requires more than one intermediate certificate. You do not need to provide the root certificate, because every web browser has it in its trusted keystore. +To reach the root certificate, you must link your certificate through the intermediate certificate chain, usually just one intermediate certificate. Occasionally, a CA requires multiple intermediate certificates. + +* For application-level certificates, you provide the intermediate certificate chain when uploading the certificate at the application level +* For central certificates, the chain is uploaded by the Mendix Admin + +You do not need to provide the root certificate, because every web browser has it in its trusted keystore. ### How Do You Get my SAML Metadata or CommunityCommons.GetApplicationUrl to Use the Custom URL? {#use-custom-url} @@ -255,10 +113,15 @@ To tell the runtime where it lives, set the `ApplicationRootUrl` [custom runtime ### Can You Configure Multiple Custom Domains for the Same Application? {#multiple-custom-domains} -Yes, you can configure multiple custom domains for the same application. You can only do this by [uploading multiple own custom domain certificates](#Uploading). You can only [generate one certificate signing request for one custom domain](#Generating) for your application. +Yes, you can configure multiple custom domains for the same application. + +For application-level certificates, you need to [upload](/developerportal/deploy/application-level-certificates/#Upload) a separate certificate for each custom domain. You can only [generate](/developerportal/deploy/application-level-certificates/#Generating) one certificate signing request (CSR) per custom domain. + +For central certificates, a single certificate managed by the Mendix Admin can be reused across multiple custom domains and applications, if applicable. ## Read More +* [Certificate Management](/control-center/certificate-management/) * [Certificates](/developerportal/deploy/certificates/) * [Environments](/developerportal/deploy/environments/) * [Mendix Cloud: Deploy](/developerportal/deploy/mendix-cloud-deploy/) diff --git a/content/en/docs/deployment/mendix-cloud-deploy/environments.md b/content/en/docs/deployment/mendix-cloud-deploy/environments.md index b7d712bcd20..aa436fe5061 100644 --- a/content/en/docs/deployment/mendix-cloud-deploy/environments.md +++ b/content/en/docs/deployment/mendix-cloud-deploy/environments.md @@ -192,9 +192,25 @@ If you click **Cloud Settings** ({{< icon name="settings-slider-1" >}}) from any ### Custom Domains -On the **Custom Domains** tab, the Technical Contact can manage custom domain certificates either centrally or at the application level. They can also access an overview of all the linked custom domains. +On the **Custom Domains** tab, the Technical Contact can perform the following actions: -When you need your Mendix app to be accessible via your own URL (for example, `https://myapp.mycompany.com/`), you must provide a custom SSL/TLS certificate for your domain. This ensures a secure connection to your Mendix app. For more information, refer to [Custom Domains](/developerportal/deploy/custom-domains/). +* Request a new application-level certificate +* Upload a new application-level certificate +* Edit, delete, and view application-level certificates +* View centralized certificates created by a Mendix Admin through **Certificate Management** +* View the custom domains associated with each certificate + +To make your Mendix application accessible through a custom URL (for example, `https://myapp.mycompany.com`), you must configure a custom domain secured with an SSL/TLS certificate. In Mendix Cloud, certificates can be created in one of the following ways: + +* **Application level** – Technical Contacts can create and manage application-level certificates, which are marked as **Local**. For more information, refer to [Application-Level Certificates](/developerportal/deploy/application-level-certificates/). + +* **Central level** – Mendix Admins can upload and manage SSL/TLS certificates centrally in Control Center using [Certificate Management](/control-center/certificate-management/). These certificates can be reused across multiple applications and are marked as **Central**. + +{{% alert color="info" %}} +Certificates created through **Certificate Management** can only be managed by Mendix Admins. Technical Contacts can view these certificates, but cannot edit or delete them. +{{% /alert %}} + +For step-by-step instructions on configuring custom domains for your Mendix application, refer to [Custom Domains](/developerportal/deploy/custom-domains/). ### Access Restriction Profiles diff --git a/content/en/docs/releasenotes/control-center/2026.md b/content/en/docs/releasenotes/control-center/2026.md index d82bf2c1196..46949966451 100644 --- a/content/en/docs/releasenotes/control-center/2026.md +++ b/content/en/docs/releasenotes/control-center/2026.md @@ -9,6 +9,12 @@ numberless_headings: true ## January 2026 +### February 1, 2026 + +#### New Features + +* We have added **Certificate Management** in Control Center, enabling Mendix Admins to centrally manage SSL/TLS certificates for custom domains. From the [Certificate Management](/control-center/certificate-management/) page, Mendix Admins can manage [Centralized Certificates](/developerportal/deploy/certificates/centralized-certificates/) and make certificates available to Technical Contacts when [configuring custom domains](/developerportal/deploy/custom-domains/#Configuring) at the application level. + ### January 5, 2026 #### New Features From 8e63b720b3242469286cb677f9a565c5d0283363 Mon Sep 17 00:00:00 2001 From: Olufunke Moronfolu Date: Fri, 23 Jan 2026 14:12:22 +0100 Subject: [PATCH 2/2] Fixing broken links --- .../certificates/_index.md | 21 +++++++++++++++++++ .../application-level-certificates.md | 4 ++-- .../mendix-cloud-deploy/custom-domains.md | 19 ----------------- .../modules/document-generation/_index.md | 2 +- 4 files changed, 24 insertions(+), 22 deletions(-) diff --git a/content/en/docs/deployment/mendix-cloud-deploy/certificates/_index.md b/content/en/docs/deployment/mendix-cloud-deploy/certificates/_index.md index 0972cfdeb15..d6fb114646a 100644 --- a/content/en/docs/deployment/mendix-cloud-deploy/certificates/_index.md +++ b/content/en/docs/deployment/mendix-cloud-deploy/certificates/_index.md @@ -96,6 +96,27 @@ To upload a certificate authority, follow these steps: 1. Upload a certificate authority in the PEM format. +## Frequently Asked Questions + +### Can You Create a `*.mycompany.com` Wildcard Certificate? {#wildcard} + +Yes. For [application-level certificates](/developerportal/deploy/application-level-certificates/), a wildcard certificate can only be used within the environments of a single app. This is because the private key is stored securely and cannot be accessed outside the app. + +To reuse a wildcard certificate across multiple apps or environments, Mendix Admins can create a central certificate in [Certificate Management](/control-center/certificate-management/). Central certificates can then be selected by Technical Contacts across different apps and environments. + +Technical Contacts can select the same wildcard certificate for different environments of the same app by using it with different subdomains. For example, `test.mycompany.com`, `accp.mycompany.com`, and `app.mycompany.com`. + +### How Do You Construct an Intermediate Certificate Chain Properly? + +Your certificate is signed by a certificate authority (CA) using the CA's intermediate certificate. The intermediate certificate is signed with the CA’s root certificate. + +To reach the root certificate, you must link your certificate through the intermediate certificate chain, usually just one intermediate certificate. Occasionally, a CA requires multiple intermediate certificates. + +* For application-level certificates, you provide the intermediate certificate chain when uploading the certificate at the application level +* For central certificates, the chain is uploaded by the Mendix Admin + +You do not need to provide the root certificate, because every web browser has it in its trusted keystore. + ## Read More * [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) diff --git a/content/en/docs/deployment/mendix-cloud-deploy/certificates/application-level-certificates.md b/content/en/docs/deployment/mendix-cloud-deploy/certificates/application-level-certificates.md index bb9a7bfc4c0..89ba9f53bd7 100644 --- a/content/en/docs/deployment/mendix-cloud-deploy/certificates/application-level-certificates.md +++ b/content/en/docs/deployment/mendix-cloud-deploy/certificates/application-level-certificates.md @@ -61,7 +61,7 @@ A private SSL/TLS key and a CSR tied to that key can be created in Mendix Cloud ### Generating a Certificate Request {#Generating} {{% alert color="info" %}} -When you generate a certificate request at the application level, the resulting certificate is managed locally and applies only to that application. Therefore, Mendix recommends that you do not use a wildcard (`*`) in the domain for which you are requesting a certificate. See [Can You Create a `*.mycompany.com` Wildcard Certificate?](#wildcard), below, for more information. +When you generate a certificate request at the application level, the resulting certificate is managed locally and applies only to that application. Therefore, Mendix recommends that you do not use a wildcard (`*`) in the domain for which you are requesting a certificate. See [Can You Create a `*.mycompany.com` Wildcard Certificate?](/developerportal/deploy/certificates/#wildcard), for more information. {{% /alert %}} To create a CSR and an RSA (Rivest–Shamir–Adleman) encryption key, follow these steps: @@ -179,4 +179,4 @@ To edit an existing custom domain certificate, you need the following: * access to the certificate request that you created for the current certificate * [transport rights](/developerportal/deploy/node-permissions/#transport-rights) for all environments of the application -{{% /alert %}} \ No newline at end of file +{{% /alert %}} diff --git a/content/en/docs/deployment/mendix-cloud-deploy/custom-domains.md b/content/en/docs/deployment/mendix-cloud-deploy/custom-domains.md index fbe87e1c636..a0a063674cb 100644 --- a/content/en/docs/deployment/mendix-cloud-deploy/custom-domains.md +++ b/content/en/docs/deployment/mendix-cloud-deploy/custom-domains.md @@ -86,25 +86,6 @@ Make sure you have configured a CNAME record for your custom domain with your do ## Frequently Asked Questions -### Can You Create a `*.mycompany.com` Wildcard Certificate? {#wildcard} - -Yes. For application-level certificates, a wildcard certificate can only be used within the environments of a single app. This is because the private key is stored securely and cannot be accessed outside the app. - -To reuse a wildcard certificate across multiple apps or environments, Mendix Admins can create a central certificate in [Certificate Management](/control-center/certificate-management/). Central certificates can then be selected by Technical Contacts across different apps and environments. - -Technical Contacts can select the same wildcard certificate for different environments of the same app by using it with different subdomains. For example, `test.mycompany.com`, `accp.mycompany.com`, and `app.mycompany.com`. - -### How Do You Construct an Intermediate Certificate Chain Properly? - -Your certificate is signed by a certificate authority (CA) using the CA's intermediate certificate. The intermediate certificate is signed with the CA’s root certificate. - -To reach the root certificate, you must link your certificate through the intermediate certificate chain, usually just one intermediate certificate. Occasionally, a CA requires multiple intermediate certificates. - -* For application-level certificates, you provide the intermediate certificate chain when uploading the certificate at the application level -* For central certificates, the chain is uploaded by the Mendix Admin - -You do not need to provide the root certificate, because every web browser has it in its trusted keystore. - ### How Do You Get my SAML Metadata or CommunityCommons.GetApplicationUrl to Use the Custom URL? {#use-custom-url} For certain use cases, it is important for the Mendix runtime to know the public URL of your applications. This is most commonly needed when your app generates links back to itself. diff --git a/content/en/docs/marketplace/platform-supported-content/modules/document-generation/_index.md b/content/en/docs/marketplace/platform-supported-content/modules/document-generation/_index.md index f5b133654e7..02786603cf0 100644 --- a/content/en/docs/marketplace/platform-supported-content/modules/document-generation/_index.md +++ b/content/en/docs/marketplace/platform-supported-content/modules/document-generation/_index.md @@ -31,7 +31,7 @@ The [PDF Document Generation](https://marketplace.mendix.com/link/component/2115 {{% alert color="info" %}}We only support apps that allow bi-directional communication with the PDF Service in Mendix Cloud for all deployment types except for on-premises, and for the [Private PDF Document Generation Service](/appstore/services/private-document-generation-service/).{{% /alert %}} * The maximum file size is 25 MB per document. If your document exceeds this limit, the action will result in an exception. We recommend compressing high-resolution images to reduce their file size. * If your app is configured to [restrict access for incoming requests](/developerportal/deploy/access-restrictions/) using client certificates, our cloud service will not be able to reach your app, and the module will not work properly. -* If your app uses a custom domain, you must configure a custom SSL/TLS domain certificate signed by a trusted public authority, including all intermediate certificates if applicable. Self-signed certificates will cause the service to fail. For more information, see [Obtaining a new signed certificate](/developerportal/deploy/custom-domains/#obtaining-a-new-signed-certificate). +* If your app uses a custom domain, you must configure a custom SSL/TLS domain certificate signed by a trusted public authority, including all intermediate certificates if applicable. Self-signed certificates will cause the service to fail. For more information, see [Obtaining a new signed certificate](/developerportal/deploy/application-level-certificates/#obtaining-a-new-signed-certificate). * We use a fixed 30 second timeout for the page to finish loading and rendering. A timeout exception is thrown if the page content did not finish loading within 30 seconds. * Widgets or add-ons for your `index.html` file that perform long polling network requests are not supported. The document generation service waits until there are no more pending network requests. * Some widgets, such as [Charts](/appstore/widgets/charts/), might be rendered inconsistently in the generated PDF due to factors like animation.