Bring Your Own Certificate (BYOC)

While CloudGuard WAF SaaS offers managed public SSL/TLS certificates signed by Let’s Encrypt, you may choose to use your own certificate and private key—ideal for compliance needs or existing certificate infrastructure.

To configure HTTPS traffic with your own certificates, follow the steps below:

Step 1: Upload Certificate and Private Key

1. In the Infinity Portal, navigate to Policy → Profiles.

2. Select the CloudGuard WAF SaaS profile linked to your asset.

3. For each domain listed, click on it and:

   • Upload the public certificate (PEM format)

   • Upload the private key

   • Ensure the certificate includes the full chain

Step 2: Connect your domain to WAF SaaS

Once the environment is ready, a CNAME value will be generated for your domain (this may take up to 30 minutes).

1. In your DNS provider’s configuration, replace the existing CNAME record with the new value provided by CloudGuard.

Once DNS records have propagated, your domain’s traffic will flow through WAF SaaS and be securely routed to your internal web server.

Step 3: Allow WAF SaaS to Access Your Origin Server

To ensure smooth traffic flow between WAF SaaS and your internal web server:

1. Allow incoming traffic from the IP addresses provided in the WAF SaaS deployment form.

2. Do not remove existing access rules until:

   • 72 hours have passed (to allow full DNS propagation), and

   • You have confirmed successful traffic flow through WAF SaaS.

Step 4: Test access to your site

After completing the above steps:

• Confirm that the website is reachable over HTTPS.

• Verify that traffic is flowing through WAF SaaS (you can check headers or logs in the Infinity Portal).

• Double-check that your origin server is no longer publicly accessible (unless intentionally exposed).