Auto-Generated SSL/TLS Certificates for Client-Server Communications

To simplify the security of client-server communications, from 4D v20 R4 onwards, 4D Server generates its own SSL/TLS certificates instead of relying on the default certificates provided by 4D.

This update brings a significant advantage for both testing and production environments. You’ll experience heightened security measures without the necessity of providing your own certificates. Let me explain to you what will change.

What’s new?

Before 4D v20 R4, 4D provided SSL/TLS certificates in the Resources folder of the 4D Server package used for encrypted communications for the application, database, and SQL server. These certificates were useful for testing purposes but not suitable for production, as they were the same for all 4D Servers. As such, you were supposed to replace them with your own certificate on your production servers.

With 4D v20 R4, we thought this system was too complicated for those of you who don’t need to use specific certificates. As such, we have removed the default certificates from the 4D Server. When 4D Server opens an application using encrypted connections, it checks the Resources folder. If you haven’t put your certificates there, it generates its temporary SSL/TLS certificate.

This feature simplifies the deployment of your application servers, as you no longer need to provide certificates. Incidentally, it also increases security as the 4D Server will use a new certificate every time it is restarted.

Note: 4D won’t generate certificates for the webserver: Webserver certificates need to be validated by a certificate authority for modern browsers to accept them. As such, temporary certificates are not valid.

I hope this feature will simplify your application deployments. If you have any questions, please bring them to the 4D forum. I also encourage you to read the security bulletin we issued recently.