# Certificates Managed by Check Point

When using **CloudGuard‑managed certificates**, setup is mostly automatic. However, for **each domain** protected by **WAF SaaS in a specific region**, you must complete the following steps to ensure traffic is fully secured.

{% hint style="success" %}
**When to perform these steps**

* When creating a new asset
* When adding new domains to an existing asset
* When attaching a WAF SaaS profile to an asset that wasn’t previously protected
* When editing a domain (remove the old one *after* adding and configuring the new one)
  {% endhint %}

**Step 1: Prove Domain Ownership**

This step authorizes CloudGuard to issue certificates for your domain using Let’s Encrypt.

1. In the Infinity Portal, go to **Policy → Profiles**.
2. Select the **CloudGuard WAF SaaS profile** created during the Asset setup.
3. Find the domain marked as “Pending Action” and click it.
4. Copy the **DNS CNAME record** shown under the domain ownership verification step.
5. In your DNS provider’s console, **add the CNAME record** with the name and value provided.

{% hint style="warning" %}
You must complete this step **for each domain** individually (e.g. `www.myapp.com` and `api.myapp.com`)
{% endhint %}

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FCqsiN0Dnx9pfBx7ViF0M%2Fappsec-as-a-service-profiles-pending-validation.PNG?alt=media&#x26;token=b4e9cc3b-324c-4a36-9afd-ed86b745218b" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2F6vAdZ85bB6DDv4au6Jzw%2Fappsec-as-a-service-profiles-validation-instructions.PNG?alt=media&#x26;token=d980a407-1205-4123-b283-5229b543c70a" alt=""><figcaption></figcaption></figure>

#### Step 2: Connect your domain to WAF SaaS

{% hint style="warning" %}
Before performing this stage, disable any existing AWS CloudFront configuration for your website's address if you have any.
{% endhint %}

Once ownership is verified, a new **CNAME value** will be generated (this may take up to 30 minutes).

1. In your DNS configuration, replace the existing CNAME record for your domain with the **new CNAME value** issued by CloudGuard.

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FjtFIyjHwZh16TlbPB8OL%2Fappsec-as-a-service-profiles-validation-completed.PNG?alt=media&#x26;token=e3312c60-320f-4ebf-8154-29a0b73c02a8" alt=""><figcaption></figcaption></figure>

#### &#x20;Step 3: Allow WAF SaaS to Access Your Origin Server

To ensure smooth traffic flow between WAF SaaS and your internal web server:

1. **Allow incoming traffic** from the IP addresses provided in the **WAF SaaS deployment form**.
2. **Do not remove** existing access rules until:
   * 72 hours have passed (to allow full DNS propagation), and
   * You have confirmed successful traffic flow through WAF SaaS.

{% hint style="info" %}
If the origin was previously publicly accessible, restrict access to only WAF SaaS IPs after DNS switchover.\
If you were using another reverse proxy, consider removing its IPs from the access list after confirming the switch.
{% endhint %}

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FDdWkbnTqXs0DtqqdEZEg%2Fappsec-as-a-service-profiles-deployment-instructions.PNG?alt=media&#x26;token=4736c2ed-2ca7-4a7c-9a0b-8dc4669d287e" alt=""><figcaption></figcaption></figure>

#### Step 4: Test Access to Your Site

After completing the above steps:

* Confirm that the website is reachable over HTTPS.
* Verify that traffic is flowing through WAF SaaS (you can check headers or logs in the Infinity Portal).
* Double-check that your origin server is **no longer publicly accessible** (unless intentionally exposed).

{% hint style="info" %}
While DNS changes typically take just a few hours, allow up to **72 hours** for full global propagation before making final changes.
{% endhint %}

{% hint style="danger" %}
Make sure you have not left a publicly exposed domain in your previous environment!
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/waf-as-a-service-waf-saas/certificates-managed-by-check-point.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.