Hi David,
you can use openSSL to generate a .CSR (signing request) which can be signed by a CA (certificate authority), so it’s verified by a trusted party.
The PKCS12 is sort of a zipfile containing the private key and signed certificate.
For incoming connections, creating you own CA with openSSL is most safe, because this way, you are the only one that can sign certificates with this CA. If you take a verified CA, in theory, everyone can have access to your application.
So in short for outgoing connections:
So in short for incoming connections:
Have a look at the Mendix documentation.