1. Overview

You can secure access to Console with your own digital certificate. By default, Prisma Cloud secures access to Console’s web portal and API with a self-signed certificate.

The self-managed certificate generated by Console is valid for three years. A month prior to expiration, Prisma Cloud will let you rotate it (a banner will appear at the top of the UI). After rotating Console’s certificate, you must manually redeploy your Defenders.

custom certs console access 565476

When you access Console’s web portal with this setup, for example, the browser flags the portal as untrusted with a warning message. The following screenshot shows the warning message in Chrome:

custom certs console access 565474

You can resolve these warnings by installing your own certificate that proves your server’s identity to the client. With the proper certificate, users are taken directly to Console, and the green padlock in the address bar indicates that the site is trusted.

custom certs console access 565475

Creating certificates is outside the scope of this article. For more information about how SSL and certificates secure a site, see How does HTTPS actually work.

2. Configuration options

Prisma Cloud secures the communication between various actors and entities with certificates. These certs are automatically generated and self-signed during the Prisma Cloud install process. They secure communication between:

  • Users and the Console web portal.

  • Users and the Console API.

  • Console and Defenders.

  • Console and the Prisma Cloud Intelligence Stream.

The following options control the properties of the certificates generated during the install process. The default values for these options are typically adequate.

Note that these settings only change the values used when creating self-signed certificates. Thus, users accessing the Console will still see warning messages because the certificates are not signed by a trusted certificate authority (CA). To configure the Console to use a certificate signed by a trusted CA, follow the steps later in this article.

These options can be found in twistlock.cfg under the General Configuration section:

Configuration option Description

CONSOLE_CN

Specifies the Common Name to be used in the certificate generated by Prisma Cloud for the host that runs Console. The Common Name is typically your host name plus domain name. For example, it might be www.example.com or example.com.

(Default) By default, the Common Name is assigned the output from the command hostname --fqdn.

DEFENDER_CN

Specifies the Common Name to be used in the certificate generated by Prisma Cloud for the hosts that run Defender.

(Default) By default, the Common Name is assigned the output from the command hostname --fqdn.

You can also control the Subject Alternative Names (SANs) in Console’s certificate.

3. Securing access to Console with custom certs

Secure access to Console with your own custom certs.

Prerequisites:

  • Your certs have been generated by a commercial Certificate Authority (CA) or with your own Public Key Infrastructure (PKI). You should have the following files on hand:

    • A .pem file, which contains your certificate and your Certificate Authority’s intermediate certificates.

    • A .key file, which contains your private key.

  1. Have your signed certificate (.pem file) and private key (.key file) ready to be accessed and uploaded to Console.

    Make sure that the private key starts and ends with:

    ----BEGIN PRIVATE KEY----
    ----END PRIVATE KEY----

    or:

    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
  2. Open Prisma Cloud Console in a browser.

  3. Navigate to Manage > Authentication > System Certificates.

  4. Concatenate your public cert and private key into a single PEM file.

    $ cat server.crt server.key > server-cert.pem
  5. Upload the PEM file into the TLS Certificate for Console section.

  6. Click Save

  7. Verify that your certs have been correctly installed.

    Open your browser, and navigate to: https://<CONSOLE_HOSTNAME>:8083

    If you see the locked padlock icon, you have installed your certs correctly.

    custom certs console access 565472