Problem
Due to recent industry decisions by the CA/Browser Forum, public TLS/SSL certificates are rapidly moving to much shorter lifetimes:
- Today: ~397 days
- 2026: ~200 days
- 2027: ~100 days
- 2029: ~47 days
This means certificate renewal is no longer a yearly task, but a frequent operational process that must be automated.
In the Mendix Public Cloud, certificates currently have to be:
- Generated externally
- Manually uploaded via the portal
- Manually activated per environment
For organizations with many apps and environments, this is already becoming unscalable, risky, and error-prone.
Why this matters
Short-lived certificates are now the industry standard for security reasons.
But without automation:
- Ops teams must track dozens of expiry dates
- Manual mistakes will cause production outages
- CI/CD pipelines cannot include certificate rotation
- Enterprise customers cannot meet security automation requirements
Other cloud platforms already expose APIs or ACME-based flows for this exact reason.
Proposed solution
Expose Mendix Public Cloud APIs or automation hooks to manage TLS/SSL certificates programmatically:
Core capabilities
- Upload a new certificate
- Replace an existing certificate
- Activate a certificate on an environment
- Query current certificate metadata (expiry, fingerprint, etc.)
Optional (future)
- Native ACME integration (Let’s Encrypt, DigiCert ACME, Sectigo, etc.)
- Webhook or event when a certificate is near expiry
- Pipeline-friendly token authentication
Benefits
- Enables full automation (CI/CD, DevOps, SRE workflows)
- Reduces operational risk and downtime
- Aligns Mendix with modern cloud security standards
- Scales for large enterprise landscapes
Call to action
If you are managing certificates manually today, or expect to soon, please upvote this idea so it can be prioritized in the Mendix roadmap.