Document:Prisma Cloud Administrator’s Guide (Compute)

Prisma Cloud Compute certificates

Filter

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Prisma Cloud container images
- Kubernetes
- OpenShift v4
- Amazon ECS
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- IBM Kubernetes Service (IKS)
- Windows
- Defender types
- Cluster Context
- Install Defender
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Upgrade the Single Container Defenders
- Upgrade Defender DaemonSets
- Upgrade Defender DaemonSets (Helm)
Agentless Scanning
- Onboard Accounts for Agentless Scanning
- Agentless Scanning Results
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials Store
Cloud Service Providers
- Cloud discovery
- Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
- Prisma Cloud vulnerability feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- Search CVEs
- Registry scanning
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploy WAAS
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API Discovery
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Sensitive Data
Firewalls
- Cloud Native Network Segmentation (CNNS)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan Images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

Prisma Cloud Compute certificates

This article summarizes all the certificates used by Prisma Cloud Compute. Learn more about the certificates used on Prisma Cloud Compute including details on what it is used for, signing CA, and your customization options.

Customizing certificates is only allowed for Prisma Cloud Compute edition.

Category	Certificate	Communication	Certificate customization	Default CA	CA customization	Prisma Cloud edition
Console TLS communication	Console Web and API certificate	Web browser, API, and Twistcli access to Console	Customize under Manage > Authentication > System certificates > TLS certificate for Console > Concatenate public cert and private key	Console CA	Your organization CA	Compute edition, Enterprise edition
Docker access control	Client certificates To enforce Docker access control, client certs should be installed on any host where the docker client can be run.	Clients (users) access to remote Docker Engine instances	Customize your own certificates for your clients Explicit list of trusted certificates can be defined under Manage > Authentication > System certificates > Client certificates > Explicit certificate trust list	Console CA	Customize under Manage > Authentication > System certificates > Client certificates > CA certificate	Compute edition, Enterprise edition
Certificate-based authentication to Console		Clients access the Console		No CA by default	Enable Console verification of the client’s CA certificate when accessing the Console. Define CA under Manage > Authentication > System certificates > Certificate-based authentication to Console > CA certificate	Compute edition
Console-Defender communication	Defender server certificate (Console side)	Console-Defender communication	Yes, for Compute Edition only.	Defender CA (defender-ca.pem)	Yes, for Compute Edition only.	Compute edition only. Not relevant for Enterprise edition (uses API token)
Console-Defender communication	Defender client certificate (Defender side)	Console-Defender communication	No	Defender CA (defender-ca.pem)	No	Compute edition, not relevant for Enterprise edition (uses API token)
Admission control	Admission certificate (admission-cert.pem)	Admission webhook authentication with Prisma Cloud Defender	No	Defender CA (defender-ca.pem)	No	Compute edition, Enterprise edition

Console TLS communication certificates

You can secure access to Console with your own digital certificate. By default, Prisma Cloud accesses the Console’s web portal and API with a self-signed certificate.

The self-managed certificate generated by Console is valid for three years. 90 days prior to expiration, Prisma Cloud will let you rotate it (a banner will appear at the top of the UI). After rotating Console’s certificate, you must restart the Console.

When you access Console’s web portal with this setup, for example, the browser flags the portal as untrusted with a warning message. The following screenshot shows the warning message in Chrome:

You can resolve these warnings by installing your own certificate that proves your server’s identity to the client. With the proper certificate, users are taken directly to Console, and the green padlock in the address bar indicates that the site is trusted.

Creating certificates is outside the scope of this article. For more information about how SSL and certificates secure a site, see How does HTTPS actually work.

Configuration options

Prisma Cloud secures the communication between various actors and entities with certificates. These certificates are automatically generated and self-signed during the Prisma Cloud install process. They secure communication between:

Users and the Console web portal

Users and the Console API

Console and the Prisma Cloud Intelligence Stream

The following options control the properties of the certificates generated during the installation process. The default values for these options are typically adequate.

Note that these settings only change the values used when creating self-signed certificates. Thus, users accessing the Console will still see warning messages because the certificates are not signed by a trusted certificate authority (CA). To configure the Console to use a certificate signed by a trusted CA, follow the steps later in this article.

These options can be found in twistlock.cfg under the General Configuration section:

Configuration option	Description
CONSOLE_CN	Specifies the Common Name to be used in the certificate generated by Prisma Cloud for the host that runs Console. The Common Name is typically your hostname plus domain name. For example, it might be www.example.com or example.com. (Default) By default, the Common Name is assigned the output from the command hostname --fqdn.
DEFENDER_CN	Specifies the Common Name to be used in the certificate generated by Prisma Cloud for the hosts that run Defender. (Default) By default, the Common Name is assigned the output from the command hostname --fqdn.

Securing access to Console with custom certificates

Secure access to Console with your own custom certificates.

Prerequisites:

Your certs have been generated by a commercial Certificate Authority (CA) or with your own Public Key Infrastructure (PKI). You should have the following files on hand:

A .pem file, which contains your certificate and your Certificate Authority’s intermediate certificates.

A .key file, which contains your private key.

Have your signed certificate (.pem file) and private key (.key file) ready to be accessed and uploaded to Console.

Make sure that the private key starts and ends with:

----BEGIN PRIVATE KEY----
----END PRIVATE KEY----

or:

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

Open Prisma Cloud Console in a browser.

Navigate to Manage > Authentication > System Certificates
.

Concatenate your public certificate and private key into a single PEM file.

$ cat server.crt server.key > server-cert.pem

Open the TLS certificate for Console
section

Upload the PEM file into the Concatenate public cert and private key (e.g., cat server-cert.pem server-key.pem)

Click Save

Verify that your certs have been correctly installed.

Document:Prisma Cloud Administrator’s Guide (Compute)

Prisma Cloud Compute certificates

Table of Contents

Prisma Cloud Compute certificates

Console TLS communication certificates

Configuration options

Securing access to Console with custom certificates