Skip to content

Certificates

TLS certificates and keys are used by the Valtix Gateway in proxy scenarios. For Ingress (ReverseProxy) users access the application via Valtix Gateway and it presents the certificate configured for the service. For Egress (ForwardProxy) cases, the external host's certificate is impersonated and signed by the certificate defined.

Certificate body is imported to the Valtix Controller. The Private Key can be provided in the following ways:

  • Import the Private Key contents
  • Store in AWS Secrets Manager and provide the secret name
  • Store in AWS KMS and provide the cipher text contents
  • Store in GCP Secrets Manager and provide the secret name
  • Store in Azure KeyVault and Secret and provide the keyvault and secret name

For testing purposes you can also generate a self-signed certificate on the Valtix Controller. This is similar to importing the private key contents from your local file system.

Tech Notes

Certificates are NOT editable once created. If you need to replace the existing certificate, you will need to create a new certificate, edit the Decryption Profile to reference the new certificate, and then delete the old certificate.

When importing the Certificate and Private Key, the Valtix Controller / UI can detect if there is a mismatch. However, when using any other import method where the Private Key is stored within the CSP, the Valtix Controller / UI will not be able to detect if there is a mismatch. This is by design to ensure the Private Key remains private and within your CSP. When the Private Key is needed by the Valtix Gateway, it is accessed and used, and if there is a mismatch, an error is generated.

Import Certificate

  1. Navigate to Mange -> Security Policies -> Certificates
  2. Click Create
  3. In the Method choose Import your Certificate and Private Key
  4. Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain
  5. Copy the contents of the Private Key in Certificate Private Key
  6. Optionally if your certificate and the chain are in different files, you can import the chain into Certificate Chain
  7. Click Save

AWS - KMS

  1. Navigate to Mange -> Security Policies -> Certificates
  2. Click Create
  3. In the Method choose Import AWS - KMS
  4. Select the Cloud Account and the region
  5. Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain
  6. Copy the AWK KMS encrypted cipher text in the Private Key Cipher Text. Look at this document for details on how to generate AWK KMS encrypted cipher text
  7. Click Save

AWS - Secrets Manager

  1. Navigate to Mange -> Security Policies -> Certificates
  2. Click Create
  3. In the Method choose Import AWS - Secret
  4. Select the Cloud Account and the region
  5. Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain
  6. Provide the Secret Name where the private key is stored. The private key contents must be stored as Other type of Secrets -> Plain Text in the AWS Secrets Manager
  7. Click Save

Azure Key Vault

  1. Navigate to Mange -> Security Policies -> Certificates
  2. Click Create
  3. In the Method choose Import Azure - Key Vault Secret
  4. Select the Cloud Account and the region
  5. Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain
  6. Provide the Key Vault Name and the Secret Name where the private key is stored
  7. Click Save

Look at this document for details on how to use give permissions to Azure Key Vault on Valtix using a User Assigned Managed Identity

GCP - Secret Manager

  1. Navigate to Mange -> Security Policies -> Certificates
  2. Click Create
  3. In the Method choose Import GCP - Secret
  4. Select the Cloud Account
  5. Provide the Secret Name (full path) and the Secret Version
  6. Copy the contents of the Certificate file in the Certificate Body. This can include the certificate and the chain
  7. Click Save.