# Store certificates on Gateway

### Note About Certificate Renewal

{% hint style="warning" %}
When a certificate is renewed, you must update the certificate according to the instructions below, then enforce policy again (even if configuration has not changed) by clicking on "**Enforce**" on the top bar of the web administration application for CloudGuard WAF in the portal, or by using [management API](https://waf-doc.inext.checkpoint.com/references/management-api).
{% endhint %}

### Certificates Usage

In order to use encrypted traffic (HTTPS) a managed reverse proxy must have access to the relevant certificates of the domains and URLs it exposes.

**Example - you have two applications and one API endpoint to protect:**

* [www.acme.com](http://www.acme.com)
* [www.acme.com/sales](http://www.acme.com/sales)
* products.acme.com/catalog&#x20;

<table><thead><tr><th width="161.33333333333331">Examples</th><th width="241">Certificates used</th><th>Required action</th></tr></thead><tbody><tr><td>Case  1</td><td>You have one wildcard certificate for *.acme.com</td><td>Place the certificate in the desired certificate storage by following the instructions below. CloudGuard WAF will use it for all relevant applications</td></tr><tr><td>Case 2</td><td>You have two certificates: (1) for www.acme.com and (2) for products.acme.com</td><td>Place both certificates in the desired certificate storage by following the instructions below. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application   </td></tr></tbody></table>

### Storing certificates locally on CloudGuard WAF's Gateway

Follow these steps to store your certificates and private keys **locally on the gateway** that can be used by CloudGuard WAF to process HTTPS traffic:

{% hint style="info" %}

* **Advantage**: you have full control of your secrets
* **Disadvantage**: does not support automatic scaling
  {% endhint %}

#### **Step 1: Download command-line tool**

The tool's purpose is to verify the certificate and key files and generate an output .pkg file with a unique name&#x20;

[Linux Download](https://sc1.checkpoint.com/nano-agent/certverify/linux/certverify)\
or run: *`wget https://sc1.checkpoint.com/nano-agent/certverify/linux/certverify && chmod +x certverify`*&#x20;

[Mac Download](https://sc1.checkpoint.com/nano-agent/certverify/darwin/certverify)

[Windows Download](https://sc1.checkpoint.com/nano-agent/certverify/windows/certverify.exe)

{% hint style="info" %}
You can use this tool on any machine where you have the files, before you actually store them on your CloudGuard WAF's Gateway(s). &#x20;
{% endhint %}

#### **Step 2: Run the command-line tool**

&#x20;Linux and Mac:

* &#x20;PEM certificates: *`./certverify --cert {certificate.pem} --key {private-key.key}`*
* &#x20;PFX certificates: *.`/certverify --cert {certificate.pfx} --pass {password}`*

Windows:

* PEM certificates : *`certverify --cert {certificate.pem} --key {private-key.key}`*
* PFX certificates : *`certverify --cert {certificate.pfx} --pass {password}`*&#x20;

{% hint style="success" %}
Repeat this step for each certificate/private key you wish to use
{% endhint %}

{% hint style="info" %}
Only certificates that contain Subject Alternative Name (SAN) are supported
{% endhint %}

The tool will verify the certificate and key files, and generate an output .pkg file with a unique name that includes both.

**Step 3: Store certificate and private key on your CloudGuard WAF Gateway using SCP**

{% hint style="warning" %}
You must store the files in directory /etc/certs on CloudGuard WAF's Gateway or else it will not be identified.

If the commands below end with an error, navigate to /etc and make sure a directory exists called "certs" (in linux, use the `mkdir` command).
{% endhint %}

The input pkg file for this step is the uniquely named pkg output file of the previous step.

* Linux or Mac: *`./scp {unique-name.pkg} admin@{gateway-ip}:/etc/certs`*&#x20;
* Windows: *`"C:\Program Files (x86)\WinSCP\WinSCP.com" /command "open scp://admin:{password}@{gateway-ip}" "put cert_cert.pkg /etc/certs/" "exit"`*

{% hint style="success" %}
Repeat this step for each certificate/private key you wish to use **and** for each CloudGUard WAF Gateway. &#x20;
{% endhint %}

#### **Step 4: Enforce Policy**

CloudGuard WAF will now use the relevant certificates with HTTPS clients that are trying to access your applications.  &#x20;

#### **Step 5: Change relevant DNS entries**

You can now change your DNS entries as relevant to point to your CloudGuard WAF Gateway IP or to a Load Balancer in front of several CloudGuard WAF's Gateways.&#x20;
Examples	Certificates used	Required action
Case 1	You have one wildcard certificate for *.acme.com	Place the certificate in the desired certificate storage by following the instructions below. CloudGuard WAF will use it for all relevant applications
Case 2	You have two certificates: (1) for www.acme.com and (2) for products.acme.com	Place both certificates in the desired certificate storage by following the instructions below. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application