Certificates and Keys
TLS certificates and keys are used by the Multicloud Defense Gateway in proxy scenarios. For ingress (reverse proxy) users access the application via Multicloud Defense Gateway and it presents the certificate configured for the service. For egress (forward proxy) cases, the external host's certificate is impersonated and signed by the certificate defined.
Certificate body is imported to the Multicloud Defense Controller. The private key can be provided in the following ways:
-
Import the private key contents.
-
Store in AWS secrets manager and provide the secret name.
-
Store in AWS KMS and provide the cipher text contents.
-
Store in GCP secrets manager and provide the secret name.
-
Store in Azure keyvault and secret and provide the keyvault and secret name.
For testing purposes you can also generate a self-signed certificate on the Multicloud Defense Controller. This is similar to importing the private key contents from your local file system.
Note |
Certificates are NOT editable once created. If you need to replace the existing certificate, you will need to create a new certificate, edit the decryption profile to reference the new certificate, and then delete the old certificate. When importing the certificate and private key, the Multicloud Defense Controller / UI can detect if there is a mismatch. However, when using any other import method where the private key is stored within the cloud service provider, the Multicloud Defense Controller / UI will not be able to detect if there is a mismatch. This is by design to ensure the private key remains private and within your cloud service provider. When the private key is needed by the Multicloud Defense Gateway, it is accessed and used, and if there is a mismatch, an error is generated. |
Import Certificate
Procedure
Step 1 |
Navigate to . |
Step 2 |
Click Create. |
Step 3 |
When prompted with the Method, choose Import your Certificate and Private Key. |
Step 4 |
Copy the contents of the certificate file in the Certificate Body. This can include the certificate and the chain. |
Step 5 |
Copy the contents of the private key in Certificate Private Key. |
Step 6 |
(Optional) Import the chain into the Certificate Chain if your certificate and the chain are in different files. |
Step 7 |
Click Save. |
AWS - KMS
Procedure
Step 1 |
Navigate to . |
Step 2 |
Click Create. |
Step 3 |
In the Method choose Import AWS - KMS. |
Step 4 |
Select the Cloud Account and the region. |
Step 5 |
Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain. |
Step 6 |
Copy the AWK KMS encrypted cipher text in the Private Key Cipher Text. . |
Step 7 |
Click Save. |
AWS - Secrets Manager
Procedure
Step 1 |
Navigate to . |
Step 2 |
Click Create. |
Step 3 |
In the Method choose Import AWS - Secret. |
Step 4 |
Select the Cloud Account and the region. |
Step 5 |
Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain. |
Step 6 |
Provide the Secret Name where the private key is stored. The private key contents must be stored as Other type of Secrets > Plain Text in the AWS Secrets Manager. |
Step 7 |
Click Save. |
Azure Key Vault
Procedure
Step 1 |
Navigate to . |
Step 2 |
Click Create. |
Step 3 |
In the Method choose Import Azure - Key Vault Secret. |
Step 4 |
Select the Cloud Account and the region. |
Step 5 |
Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain. |
Step 6 |
Provide the Key Vault Name and the Secret Name where the private key is stored. |
Step 7 |
Click Save. |
GCP - Secret Manager
Procedure
Step 1 |
Navigate to . |
Step 2 |
Click Create |
Step 3 |
In the Method choose Import GCP - Secret |
Step 4 |
Select the Cloud Account |
Step 5 |
Provide the Secret Name (full path) and the Secret Version |
Step 6 |
Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain |
Step 7 |
Click Save. |