How-to: generate certificates to use for authenticating against a webservice

The manual for the Mendix cloud explains how to set up authentication using certificates but it does not explain how to generate the neccesary files. Since I just spent a couple of hours figuring this out, I thought I'd share the process in this post. I am assuming you're using a Windows install of openssl, but it should be easy to adapt the commands to any other environment. Generate private key for server "c:\Program Files\OpenSSL-Win64\bin\openssl.exe" genrsa -out MyRootCA.key 2048 Generate public certificate for server "c:\Program Files\OpenSSL-Win64\bin\openssl.exe" req -x509 -new -nodes -key MyRootCA.key -sha256 -days 24855 -out MyRootCA.pem Only fill common name with whatever you think describes the service best. Generate private key for client "c:\Program Files\OpenSSL-Win64\bin\openssl.exe" genrsa -out MyClient1.key 2048 Generate certificate signing request for client "c:\Program Files\OpenSSL-Win64\bin\openssl.exe" req -new -key MyClient1.key -out MyClient1.csr Only fill common name with whatever best describes the client Generate client certificate based on csr and server's private keyserver "c:\Program Files\OpenSSL-Win64\bin\openssl.exe" x509 -req -in MyClient1.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out MyClient1.pem -sha256 -days 24855 Generate pkcs12 to upload to Cloud portal on client side "c:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -inkey MyClient1.key -in MyCLient1.pem -certfile MyRootCA.pem -out client.pfx Because of a bug in the Mendix platform you need to specify some password here (it does not need to be a strong password). Upload MyRootCA.pem on server side in the access profile (you need to paste the contents I believe). Upload client.pfx on client side in outgoing client certificates. Delete all local files (or if you need to create additional certs for other clients in the future, keep the MyRootCA.* files, but store them offline and safe!).   What the above steps allow you to do, is to use proper authentication using self-signed certificates for any webservices (rest or soap) between your own Mendix applications. This will ensure no other client than the correct one will be able to send anything to your webservice. There are some arguments to be made about using self-signed certificates and the steps you need to take to ensure you create them in a safe environment. Also, the steps above create certificates that will only expire after you will have done so yourself (2087 I believe). This is also arguable not the best idea. However it is always better than the alternative, which is not using certificates for authentication at all. If you live in a world where you are the server and other people are the clients, you will need to have them create their own private client key and csr and have them send the csr to you to sign. you may then want to use a password on the resulting file to make it easier to get it to them in a safe manner.
1 answers

Hi Nikel,

first of all nice post. 

I've done this recently myself, for securing incoming rest services between our Mendix apps. Normally I would agree with you that self signed certificates are less secure, but for this it might actually be more safe, because you can make sure that the Signing CA is only signing this certificate. When using a general CA it will be less secure. 

I used this example to implement the certificates. Also make sure that the you add the endpoints at the uploaded pfx. 

Also I filed a ticket at Mendix Support regarding Mendix native REST ( Mx 7.22.0 ). When  I call a REST service with the endpoint, the certificate is validated and functionality works. However when using a CNAME in the native REST functionality, there is a certificate error. This is currently under review at Mendix Support. So test your certificates with the endpoint.