Bring Your Own Certificate

While CloudGuard WAF as a Service offers the ability to get a public SSL/TLS certificate for your domain, signed by AWS and managed by Check Point, you can choose to upload your own certificate and private key.

Your private key will be securely end-to-end encrypted, ensuring its protection during the upload process.

Follow these steps to store your certificate and private key on the CloudGuard WAF as a Service to process HTTPS traffic:

Step 1: Upload Certificate and Private Key

Browse to Policy -> Profiles and select the CloudGuard WAF SaaS profile that was automatically created during the Asset creation wizard. You will see the domains that are pending action.

Upon clicking on a domain, you will be able to upload your public certificate and private key. You will need to perform this action for each of your domains. For example, if you are protecting both www.myapp.com and api.myapp.com, you will need to upload the certificate and private key of each domain separately.

Certificates must be in PEM format and contain the complete certificate chain.

Step 2: Connect your domain to WAF SaaS

Before performing this stage, disable any existing AWS CloudFront configuration for your website's address if you have any.

Once the environment is created, a CNAME record value will be issued. This may take up to 30 minutes.

Once issued, change the existing DNS CNAME record for the domain you wish to protect and change its value to the copied string. Once the DNS records worldwide are updated, traffic will now pass through WAF SaaS and then be routed to your internal web server.

Step 3: Make sure your internal web server is accessible from WAF SaaS PoP IP addresses

During this step you will add IP addresses to the access list allowed by your internal web server, and you may also be required to remove IP addresses that are no longer needed.

Since DNS propagation of new configuration can take up to 72 hours, we recommend you will only add IP addresses as needed, but not remove any access from the web server until 72 hours have passed and you have tested your connectivity to the web site through WAF SaaS.

In each asset protected by WAF SaaS you configured the upstream URL for the Reverse Proxy function of WAF SaaS. Traffic will reach WAF SaaS through the web site's domain, and will be sent, after inspection, to the internal address.

You must configure that address to allow access from the IP addresses provided by the deployment form in CloudGuard WAF UI, and only from those addresses.

i.e. if the domain was publicly exposed until now, you must reduce accessibility and allow traffic from only those IP addresses. And if the domain was only accessible from a previously configured Reverse Proxy, you must add the IP addresses of WAF SaaS to the access list and consider removing irrelevant IP addresses of the previous Reverse Proxy.

Step 4: Test access to your site

After completing all previous steps, make sure access to your site exists.

Please note that changing DNS records can take up to 72 hours to propagate worldwide, although it typically takes a few hours.

Make sure you have not left a publicly exposed domain in your previous environment!

PreviousCertificates Managed by Check PointNextKubernetes Ingress

Last updated

Was this helpful?