By default, Prisma Cloud uses an internal, self-managed certificate authority for all x.509 cryptographic functions. Prisma Cloud self-managed certificates are used for TLS access to Console’s web UI, for Defenders to authenticate to Console, and for users to authenticate to Defenders.
The self-managed certificate generated by Console is valid for three years. A month prior to expiration, Prisma Cloud will let you rotate it (a banner will appear at the top of the UI). After rotating Console’s certificate, you must manually redeploy your Defenders.
Prisma Cloud lets you use your own certificates for some functions. For example, if you want to make access to the web UI more seamless, you can use certificates from an implicitly trusted CA for securing the TLS connection. You can also use custom certificates to authenticate to Defenders using the Docker and Kubernetes clients. Your custom certificates are used in place of those generated by Prisma Cloud.
To set up your custom certs:
Open Console, and go to Manage > Authentication > Certificates.
Set Advanced certificate configuration to Show.
Under Console Authentication (section 2), upload the CA certificate(s) in PEM format, then click Save.
If you have multiple CAs, such as a root CA and several issuing CAs, you must add all these certificates into the PEM file. The order of certificates in the PEM file should be from the lowest tier of the hierarchy to the root. For example, if you have a 3 tier hierarchy that looks like this:
->RootCA ->IntermediateCA ->IssuingCA1 ->IssuingCA2
Your PEM file should be ordered as IssuingCA1, IssuingCA2, IntermediateCA, RootCA. To create such a PEM file, you’d get the public keys of each CA in PEM format and concatenate them together:
$ cat IssuingCA1.pem IssuingCA2.pem IntermediateCA.pem RootCA.pem > CAs.pem
Once this configuration is enabled, users must copy their keys (both public and private) to the host they’re using to run commands with docker or kubectl. Though the path can be referenced in each command, it’s usually simpler to place them in the default directory that docker looks in for certificates (~/.docker).
Each user certificate used with Prisma Cloud must have the user’s CN embedded in the Subject field of the certificate. You can validate these settings by running the following command against the certificate:
$ openssl x509 -in .docker/cert.pem -text | grep Subj Subject: CN=username
Finally, Docker requires that the CA certificate used to sign the server certificate on the nodes Prisma Cloud is protecting must also be in the ~/.docker folder, in a file called ca.pem. Because the 'server' certificate used in this deployment model is still generated by Prisma Cloud, this means that on each host where you’re running docker or kubectl commands, you must also add the CA certificate to this folder.
You also have an option to create a list of explicitly trusted custom certificates. A typical use case of this feature would be when may have multiple certificates issued to a given user but only want specific ones to be available for use with Prisma Cloud. By adding an explicit trust list, you can control what certificates can be used because Prisma Cloud compares any certificates presented to it against the allowed trusted-certificates-list. This way, a user having certificate not in the explicitly allowed list will not be able to use the certificate with Prisma Cloud, even if it was issued by a trusted CA. Note that this feature is valid only when custom CA is configured. When enabled, it allows users to add new certificates to a table by uploading entire public certificates in PEM format.
External certification authority section will be visible only to an Admin role user.
All trusted certs information will be retrieved from the certificate itself, so the user doesn’t have to manually add info such as CN, issuer etc.
Only the public portion of a user certificate should be added to the explicit trust list. Private keys are not required and should be excluded from this process.
When a custom cert is provided to authenticate to Prisma Cloud, it first checks the certificate against this list. If the cert is matched to an entry in the list, then the previously existent flow continues. If the cert is not in the trusted list, then the authentication fails with an error 'Certificate not in certificate trust list configured in Prisma Cloud'.
Under Authentication to Defenders (section 1a), upload CA certificate to trust.
Set Enable authentication with only an explicit list of trusted certificates to ON.
Click Add certificate, copy the PEM-formatted public certificate which was issued by the trusted CA, then click Add.