In order to provide security for TLS encrypted traffic, RedShield Cloud requires a copy of the TLS certificate and key be exported and securely uploaded to RedShield. During normal operations, application traffic is decrypted for inspection, and then re-encrypted again for transmission to the server.
Please note:
-
Exporting your Certificates + Private Keys is usually best done from the Web Server
(Not your CA, eg Verisign; unless you can provide the private keys as well)
-
The export MUST include private keys as well as the certificate itself
Certificates may be exported and uploaded in the RedShield Customer Portal [Link to above article]..
Certificates + keys may be exported as a bundle in PKCS#12 or PEM formats, which may be encrypted natively during export, or later as below. Alternatively both .crt and .key files should be sent.
Methods for exporting certificates vary between different versions of Microsoft IIS, Apache, and other web servers. Please refer to documentation for each system to find specific instructions to export certificate and key bundles.
An example PEM formatted bundle with certificate, intermediary certificates, and private keys all included, would look similar to the following:
-----BEGIN CERTIFICATE-----
LJPOIKJHGTCRWSHD...........
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
OIGJSDORGISDFGLS..........
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
DGFHDGHSDGSDFGSDFGF......
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ADFGTHBSDGGSFDSFDSD......
-----END CERTIFICATE-----
If you have any questions on this process please open a support case with RedShield.
Sending Certificates + Keys to RedShield
Certificates and keys can be securely uploaded in the RedShield Customer Portal.
If you have other sensitive files to share with RedShield, or are unable to use the above process, please see Securely Exchanging Files and Data with RedShield.
If you have any questions on this process please open a support case with RedShield.
Sending Certificates + Keys to RedShield
Files to be uploaded should be encrypted first (when using RedShield Vault to upload, this step is optional). Any certificate bundles which are not encrypted natively during export, may be encrypted into a separate container as outlined in the following articles:
Encrypted certificate bundle files may then be sent to RedShield by:
- Uploading to vault.redshield.co
- Emailing directly to your consultant or to support@redshield.co (must be encrypted first).
- Any encryption keys required to open the files should be sent via an alternative communications method (Mobile SMS is recommended. Email or support case comments are NOT recommended as methods for sending encryption keys).
Comments