Skip to content

Certificates

TLS certificates and keys are used by the Valtix Gateway in proxy scenarios. For Ingress (ReverseProxy) users access the application via Valtix Gateway and it presents the certificate configured for the service. For Egress (ForwardProxy) cases, the external host's certificate is impersonated and signed by the certificate defined.

Certificate body is imported to the Valtix Controller. The Private Key can be provided in the following ways:

  • Import the Private Key contents
  • Store in AWS Secrets Manager and provide the secret name
  • Store in AWS KMS and provide the cipher text contents
  • Store in GCP Secrets Manager and provide the secret name
  • Store in Azure KeyVault and Secret and provide the keyvault and secret name

For testing purposes you can also generate a self-signed certificate on the Valtix Controller. This is similar to importing the private key contents from your local file system.

Certificates are NOT editable once created. You will have to create a new certificate and edit the decryption profile that using the old certificate, and replace with a new one.

Import Certificate

  1. Navigate to Mange -> Security Policies -> Certificates
  2. Click Create
  3. In the Method choose Import your Certificate and Private Key
  4. Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain
  5. Copy the contents of the Private Key in Certificate Private Key
  6. Optionally if your certificate and the chain are in different files, you can import the chain into Certificate Chain
  7. Click Save

AWS - KMS

  1. Navigate to Mange -> Security Policies -> Certificates
  2. Click Create
  3. In the Method choose Import AWS - KMS
  4. Select the Cloud Account and the region
  5. Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain
  6. Copy the AWK KMS encrypted cipher text in the Private Key Cipher Text. Look at this document for details on how to generate AWK KMS encrypted cipher text
  7. Click Save

AWS - Secrets Manager

  1. Navigate to Mange -> Security Policies -> Certificates
  2. Click Create
  3. In the Method choose Import AWS - Secret
  4. Select the Cloud Account and the region
  5. Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain
  6. Provide the Secret Name where the private key is stored. The private key contents must be stored as Other type of Secrets -> Plain Text in the AWS Secrets Manager
  7. Click Save

Azure Key Vault

  1. Navigate to Mange -> Security Policies -> Certificates
  2. Click Create
  3. In the Method choose Import Azure - Key Vault Secret
  4. Select the Cloud Account and the region
  5. Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain
  6. Provide the Key Vault Name and the Secret Name where the private key is stored
  7. Click Save

Look at this document for details on how to use give permissions to Azure Key Vault on Valtix using a User Assigned Managed Identity

GCP - Secret Manager

  1. Navigate to Mange -> Security Policies -> Certificates
  2. Click Create
  3. In the Method choose Import GCP - Secret
  4. Select the Cloud Account
  5. Provide the Secret Name and the Secret Version
  6. Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain
  7. Click Save.