Exporting TLS Certificates and Keys for RedShield Cloud


In order to provide security for TLS encrypted traffic, RedShield Cloud requires a copy of the TLS certificate and key be exported and securely uploaded to RedShield. During normal operations, application traffic is decrypted for inspection, and then re-encrypted again for transmission to the server. 

Please note:

  • Exporting your Certificates + Private Keys is usually best done from the Web Server

(Not your CA, eg Verisign; unless you can provide the private keys as well)

  • The export MUST include private keys as well as the certificate itself


Certificates may be exported and uploaded in the RedShield Customer Portal [Link to above article].. 

Certificates + keys may be exported as a bundle in PKCS#12 or PEM formats, which may be encrypted natively during export, or later as below. Alternatively both .crt and .key files should be sent. 

Methods for exporting certificates vary between different versions of Microsoft IIS, Apache, and other web servers. Please refer to documentation for each system to find specific instructions to export certificate and key bundles.  

An example PEM formatted bundle with certificate, intermediary certificates, and private keys all included, would look similar to the following:




If you have any questions on this process please open a support case with RedShield. 


Sending Certificates + Keys to RedShield

Certificates and keys can be securely uploaded in the RedShield Customer Portal.

If you have other sensitive files to share with RedShield, or are unable to use the above process, please see Securely Exchanging Files and Data with RedShield.



If you have any questions on this process please open a support case with RedShield. 


Sending Certificates + Keys to RedShield

Files to be uploaded should be encrypted first (when using RedShield Vault to upload, this step is optional). Any certificate bundles which are not encrypted natively during export, may be encrypted into a separate container as outlined in the following articles:


Encrypted certificate bundle files may then be sent to RedShield by:

  • Uploading to
  • Emailing directly to your consultant or to (must be encrypted first).
  • Any encryption keys required to open the files should be sent via an alternative communications method (Mobile SMS is recommended. Email or support case comments are NOT recommended as methods for sending encryption keys). 












Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request