Managing certificates is key to keeping your data safe, private, and trustworthy. Traceable lets you upload your own TLS certificates, giving you full control and peace of mind over your data security. Traceable uses AWS Certificate Manager (ACM) to manage TLS certificates, providing automated provisioning and renewal for encrypted communication between clients, the HTTP(s) traffic, and your Traceable Edge Cluster. Traceable now allows you to self-upload and manage TLS certificate(s) in Edge Deployment. This gives you the flexibility to manage and rotate certificates according to your internal security policies. This also helps you to manage the edge cluster deployment in the specified regions.
What will you learn in this topic?
By the end of this topic, you will be able to:
Understand the need for uploading TLS certificates and how you can leverage them.
Understand the prerequisites required before uploading a TLS certificate.
Understand the steps to upload and/or manage a TLS certificate.
Before you begin
Make a note of the following before you proceed to upload the TLS certificate:
Make sure you have the Certificate Private Key. For more information, see AWS Certificate Manager.
Make sure you have the Certificate Body. For more information, see Certificate and Key Format for Importing.
Upload New Certificate
The following interactive demo walks you through the steps to navigate and upload TLS Certificate(s) in Traceable.
Click Upload New Certificate, and in the Upload New Certificate window, complete the following details:
Specify the Name of the certificate, for example, cert_upload.
Specify the Certificate Private Key in the specified format.
Specify the Certificate Body in the specified format.
(Optional) Specify the Certificate Chain that combines all the certificates except the last one.
Select one or more appropriate AWS Region(s) from the drop-down. For more information on the available regions, see AWS Regions Documentation.
Note
Make sure you select the same AWS region as selected here, for the Primary AWS Region and the (optional) Secondary AWS Region under the Add New Edge Cluster for deployment. For more information, see Edge Cluster Deployment.
(Optional) Add the Tags with the Key and Value fields that contain any additional information or references related to the certificate.
Once all the necessary information is provided, Upload is enabled. Additionally, you can also view or update an existing certificate(s) by clicking the Ellipse icon ( 
) next to the certificate you wish to view or update.
Caveats
AWS Certificate Manager (ACM) has the following constraints:
ACM supports only specific cryptographic algorithms. The key algorithms for TLS certificates are RSA 1024-bit, RSA 2048-bit, RSA 3072-bit, ECDSA 256-bit, ECDSA 384-bit, ECDSA 384-bit, ECDSA 521-bit. For information, see Supported Key Algorithms
ACM requires a Private Certificate Key size of at least 2048 bits. For more information on key size, see ACM Certificate RSA Check.
ACM supports only certain certificate versions or formats. For more information on ACM limits, see ACM Quotas.
FAQ
Do I need to upload a certificate if I am using a CDN?
Do I need to upload a certificate if I am using a CDN?
Certificate upload is optional if your CDN (AWS CloudFront, Cloudflare, Akamai, etc.) handles TLS termination.
If WAAP directly processes HTTPS traffic, a TLS certificate is required.
What happens if my certificate expires?
What happens if my certificate expires?
Expired certificates may cause HTTPS traffic failures.
Set up automated reminders to replace certificates before expiration.
Can I use self-signed certificates?
Can I use self-signed certificates?
Yes, but self-signed certificates should be used in internal or non-production environments.