Question

How to set-up client certificate access rules?

0

Hello, We try to add access rules in our environment with multiple Mendix applications, but the configuration does’nt work. I hope someone can see what is not correct in our approach. All our Mendix applications function in the same domain and have the same certificate issuer for SSL. We want to make sure that only our own Mendix applications can call REST endpoints. We have created and applied an access profile in each Mendix cloud environment where we upload the intermediate certificate including the root certfiicate in PEM format. This certificate is our SSL certificate which we also use for the custom domain setting. Our certificate chain from our SSL certificate contains 4 levels, so we only added the first 3 levels. It shouldn’t be necessary to add an outgoing connection certificate, since we use our SSL certificate in the restriction profile. But to be sure we added the authority. We did not add a Client Certificate, because I think it is not needed since the SSL certificate is used. Is this assumption correct? Any help would be much appreceated!

asked 2021-10-26

Diederik Wentink

2 answers

0

It seems that an outgoing connection certificate is mandatory to be able to encrypt the client side of a 2-side SSL. You can use the SSL certificate for it, but only if you created the SSL certificate with your own private key (not when you let Mendix create your SSL certificate request). And you will have to upload the certificate in the outgoing connection certificate section.

If someone disgrees with this solution, please let me know!

answered 2021-11-01

Diederik Wentink

Martin Leppen · Accepted Answer · 2021-11-02

Hi Diederik,

When you setup an access restriction profile with the top 3 levels of your certificate chain, and after that, configure that profile for certain endpoint, you are restricting the access to those endpoints to those calls that have with them, a certificate that is signed by a certificate in your restriction profile (depending on which certificate you added a checkmark to).

Let's say you only put a checkmark on the 3^rd certificate in the chain. This means that only http-calls with an accompanying client certificates signed by this 3^rd certificate will be granted access.
If this call comes from another Mendix application, you do need (as you have mentioned in your own answer) to add this certificate to your outgoing call. If you use one that is created by Mendix, it obviously was not signed by the 3^rd certificate in the chain, and therefore will not be granted access.

If I would configure it like this, only calls with client1 certificate (or other client certificates that were signed by subca1) will be granted access, and in Mendix apps, you need to add those certificates to outgoing calls.

Hope this helps,

Greetings Martin