# Store Certificates in AWS

Follow these steps to store your certificate and private keys in AWS that can be used by CloudGuard WAF to process HTTPS traffic

### Note About Certificate Renewal

{% hint style="warning" %}
When a certificate is renewed, you must update the certificate manager according to the instructions below, then enforce policy again (even if configuration has not changed) by clicking on "**Enforce**" on the top bar of the web administration application for CloudGuard WAF in the portal, or by using [management API](https://waf-doc.inext.checkpoint.com/references/management-api).
{% endhint %}

### Certificates Usage

In order to use encrypted traffic (HTTPS) a managed reverse proxy must have access to the relevant certificates of the domains and URLs it exposes.

**Example - you have two applications and one API endpoint to protect:**

* [www.acme.com](http://www.acme.com)
* [www.acme.com/sales](http://www.acme.com/sales)
* products.acme.com/catalog&#x20;

<table><thead><tr><th width="161.33333333333331">Examples</th><th width="241">Certificates used</th><th>Required action</th></tr></thead><tbody><tr><td>Case  1</td><td>You have one wildcard certificate for *.acme.com</td><td>Place the certificate in the desired certificate storage by following the instructions below. CloudGuard WAF will use it for all relevant applications</td></tr><tr><td>Case 2</td><td>You have two certificates: (1) for www.acme.com and (2) for products.acme.com</td><td>Place both certificates in the desired certificate storage by following the instructions below. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application   </td></tr></tbody></table>

### Setting a certificate in AWS certificate manager

#### Step 1: AWS Console

Log in to **AWS Console** and select the relevant Region.

#### Step 2: **AWS Certificate Manager**

Navigate to the **AWS Certificate Manager (ACM)** and import a PEM-encoded certificate and private key.

{% hint style="warning" %}
The certificate must be imported from a different certificate provider and only hosted by the ACM.&#x20;

Creation of the certificate via the ACM is not supported as this prevents access to the private key required in the next step.
{% endhint %}

#### Step 3: Prepare your private key for storage in **AWS Secrets Manager**

Encode your private key into base64 using this command (Linux or Mac):

*`openssl base64 -A -in <path to private key> -out <output file>`*

You will need the output of the command in Step 4.&#x20;

#### Step 4: Store your private key as a secret&#x20;

Navigate to **AWS Secrets Manager** and click **Store a new secret:**

![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2F3lrTTQ7RKrKSJltpHhWe%2Fimage.png?alt=media\&token=5b21eee1-375f-402e-8cab-063e35e0e61e)

* Choose **Other types of secret**, and add a new secret key-value pair:
  * In the **key** cell enter: *private key*
  * In the **value** cell enter your private key as a *base64 encoded single string (the output of the openssl command above)*.
* Set the **Encryption key** to: *aws/secretmanager*
* Click **Next**&#x20;

{% hint style="info" %}
It is recommended to copy the base64 encoded key into a text editor and then to the Secrets Manager to make sure it is copied correctly. Sometimes, copying directly from a terminal is not working well.
{% endhint %}

#### Step 5: Secret Name and Tags

![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FuFUBWIFyE7mydjfclwY7%2Fimage.png?alt=media\&token=513fc79f-0e7b-4b68-98b3-b617875325d5)

* Enter the name of your secret in the **secret name** field
* In the Tags section, add Key-Value Pair:
  * In the **key** cell enter: *certificate*
  * In the **value** cell enter the Amazon Resource Name (ARN) of the matching certificate that you placed in the **AWS Certificate Manager** (step 4 above).

{% hint style="success" %}
Repeat the above steps for each additional private key you have. You must store each private key as a separate secret.
{% endhint %}

#### Step 6: Launch CloudFormation Stack

![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FlrRCLkco3K2x6pGqmarG%2Fimage.png?alt=media\&token=dc592728-6b39-4f12-85a0-67e2a4244384)

To launch the CloudFormation Stack, select the acknowledgement check boxes and click **Create stack**.

{% hint style="info" %}
The CloudFormation template allows you to input only two certificates and private keys. After the stack launches for additional certificates, go to the created IAM Role and edit the **GetCertificatesPolicy** and **GetSecretsPolicy** with the additional ARNs, after you repeat Steps 1-5.
{% endhint %}

#### Step 7: Enforce CloudGuard WAF Policy

Open CloudGuard WAF Web Interface in your browser and click the **Enforce** button at the top bar. This will signal the Gateways to read the certificates from AWS.
Examples	Certificates used	Required action
Case 1	You have one wildcard certificate for *.acme.com	Place the certificate in the desired certificate storage by following the instructions below. CloudGuard WAF will use it for all relevant applications
Case 2	You have two certificates: (1) for www.acme.com and (2) for products.acme.com	Place both certificates in the desired certificate storage by following the instructions below. CloudGuard WAF will automatically use certificate 1 for the first two Applications/APIs and certificate 2 for the last Application