If the root of your Web Services is at the database folder, you can view the content of your Certificate file by typing in the absolute URL, like ("https://www.domain.com/key.pem"). This is normal because the pem files are inside the root level. You should change the root of the Web Services to one level below. That will block the user from accessing the pem files. Starting with 4D v6.7, the default for the Web root is a folder named "WebFolder" at the same level as the database structure.