When deploying a 4D application, ensuring secure client-server communications is critical, especially when sensitive data is exchanged. Without proper TLS encryption, communications are vulnerable to interception. You may need to set up certificates for local testing, deploy trusted certificates for production, or leverage 4D’s built-in features for simplified security.

For development or testing, use OpenSSL to create a self-signed certificate to encrypt 4D client-server communications.Generate a private key and CA certificate:

openssl genrsa -out ca.key 2048

openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.pem

Create a Certificate Signing Request (CSR) with a config file specifying the Common Name (CN) and Subject Alternative Name (SAN):

openssl req -new -key server.key -out server.csr -config san.cnf

Example san.cnf:

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
CN = localhost
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1

Sign the CSR to produce a server certificate:

openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out cert.pem -days 365 -sha256 -extfile san.cnf -extensions req_ext

• Deploy cert.pem and key.pem to the Resources folder of the 4D server and each client.

• Ensure CN and SAN match your server’s hostname or IP to avoid connection issues.

Use Let’s Encrypt for trusted X.509 certificates in production to secure communications.
Obtain a certificate using certbot: certbot certonly --standalone -d yourdomain.com
Find cert.pem and key.pem in /etc/letsencrypt/live/yourdomain.com/, then copy them to the Resources folder of the 4D server and clients.
Verify the certificate:

openssl x509 -in cert.pem -text -noout

To ensure robust security for 4D client-server communications, consistently place cert.pem and key.pem in the Resources folder of both the server and clients to maintain uniformity across environments. Always include relevant DNS names and IP addresses in the SAN field to meet modern TLS validation standards. Upgrading to 4D v20 R4 or later allows you to leverage auto-generated certificates for simpler setups, while manual certificates should be used for custom domain configurations. Protect private keys by restricting access to the Resources folder with strong file permissions, and regularly verify certificate validity, automating renewals for Let’s Encrypt to prevent disruptions from expired certificates. This tech tip applies only to Legacy or ServerNet network layers. If you are using QUIC, manual certificate setup is not required. QUIC handles encryption automatically, simplifying security for your 4D application. For more details on QUIC network layer, refer to the official documentation.