In order to provide security for TLS encrypted traffic, RedShield Cloud requires a copy of the TLS certificate and key be exported and securely uploaded to RedShield. During normal operations, application traffic is decrypted for inspection, and then re-encrypted again for transmission to the server.
Exporting your Certificates + Private Keys is usually best done from the Web Server
(Not your CA, eg Verisign; unless you can provide the private keys as well)
The export MUST include private keys as well as the certificate itself
Certificates may be exported and provided to RedShield consultants in an encrypted archive format (optional if uploading via Vault) whilst sending the password for the encrypted archive via a different channel (not email; suitable choices here include in-person, or via SMS text message).
Certificates + keys may be exported as a bundle in PKCS#12 or PEM formats, which may be encrypted natively during export, or later as below. Alternatively both .crt and .key files should be sent.
Methods for exporting certificates varies between different versions of Microsoft IIS, Apache, and other web servers. Please refer to documentation for each system to find specific instructions to export certificate +key bundles.
An example PEM formatted bundle with certificate, intermediary certificates, and private keys all included, would look similar to the following:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
If you have any questions on this process please open a support case with RedShield.
Sending Certificates + Keys to RedShield
Files to be uploaded should be encrypted first (when using RedShield Vault to upload, this step is optional). Any certificate bundles which are not encrypted natively during export, may be encrypted into a separate container as outlined in the following articles:
Encrypted certificate bundle files may then be sent to RedShield by:
- Uploading to vault.redshield.co
- Emailing directly to your consultant or to email@example.com (must be encrypted first).
- Any encryption keys required to open the files should be sent via an alternative communications method (Mobile SMS is recommended. Email or support case comments are NOT recommended as methods for sending encryption keys).