Prisma Cloud Compute certificates
This article summarizes all the certificates used by Prisma Cloud Compute.
Learn more about the certificates used on Prisma Cloud Compute including details on what it is used for, signing CA, and your customization options.
Customizing certificates is only allowed for Prisma Cloud Compute edition.
Category | Certificate | Communication | Certificate customization | Default CA | CA customization | Prisma Cloud edition |
---|---|---|---|---|---|---|
Console TLS communication | Console Web and API certificate | Web browser, API, and Twistcli access to Console | Customize under Manage > Authentication > System certificates > TLS certificate for Console > Concatenate public cert and private key | Console CA | Your organization CA | Compute edition, Enterprise edition |
Client certificates To enforce Docker access control, client certs should be installed on any host where the docker client can be run. | Clients (users) access to remote Docker Engine instances | Customize your own certificates for your clients Explicit list of trusted certificates can be defined under Manage > Authentication > System certificates > Client certificates > Explicit certificate trust list | Console CA | Customize under Manage > Authentication > System certificates > Client certificates > CA certificate | Compute edition, Enterprise edition | |
Certificate-based authentication to Console | Clients access the Console | No CA by default | Enable Console verification of the client’s CA certificate when accessing the Console. Define CA under Manage > Authentication > System certificates > Certificate-based authentication to Console > CA certificate | Compute edition | ||
Console-Defender communication | Defender server certificate (Console side) | Console-Defender communication | Yes, for Compute Edition only. | Defender CA (defender-ca.pem) | Yes, for Compute Edition only. | Compute edition only. Not relevant for Enterprise edition (uses API token) |
Console-Defender communication | Defender client certificate (Defender side) | Console-Defender communication | No | Defender CA (defender-ca.pem) | No | Compute edition, not relevant for Enterprise edition (uses API token) |
Admission certificate (admission-cert.pem) | Admission webhook authentication with Prisma Cloud Defender | No | Defender CA (defender-ca.pem) | No | Compute edition, Enterprise edition |
Console TLS communication certificates
You can secure access to Console with your own digital certificate.
By default, Prisma Cloud accesses the Console’s web portal and API with a self-signed certificate.
The self-managed certificate generated by Console is valid for three years.
90 days prior to expiration, Prisma Cloud will let you rotate it (a banner will appear at the top of the UI).
After rotating Console’s certificate, you must restart the Console.

When you access Console’s web portal with this setup, for example, the browser flags the portal as untrusted with a warning message.
The following screenshot shows the warning message in Chrome:

You can resolve these warnings by installing your own certificate that proves your server’s identity to the client.
With the proper certificate, users are taken directly to Console, and the green padlock in the address bar indicates that the site is trusted.

Creating certificates is outside the scope of this article.
For more information about how SSL and certificates secure a site, see How does HTTPS actually work.
Configuration options
Prisma Cloud secures the communication between various actors and entities with certificates.
These certificates are automatically generated and self-signed during the Prisma Cloud install process.
They secure communication between:
- Users and the Console web portal
- Users and the Console API
- Console and the Prisma Cloud Intelligence Stream
The following options control the properties of the certificates generated during the installation process.
The default values for these options are typically adequate.
Note that these settings only change the values used when creating self-signed certificates.
Thus, users accessing the Console will still see warning messages because the certificates are not signed by a trusted certificate authority (CA).
To configure the Console to use a certificate signed by a trusted CA, follow the steps later in this article.
These options can be found in twistlock.cfg under the General Configuration section:
Configuration option | Description |
---|---|
Specifies the Common Name to be used in the certificate generated by Prisma Cloud for the host that runs Console.
The Common Name is typically your hostname plus domain name.
For example, it might be www.example.com or example.com. (Default) By default, the Common Name is assigned the output from the command hostname --fqdn. | |
Specifies the Common Name to be used in the certificate generated by Prisma Cloud for the hosts that run Defender. (Default) By default, the Common Name is assigned the output from the command hostname --fqdn. |
Securing access to Console with custom certificates
Secure access to Console with your own custom certificates.
Prerequisites:
- Your certs have been generated by a commercial Certificate Authority (CA) or with your own Public Key Infrastructure (PKI). You should have the following files on hand:
- Make sure that the private key starts and ends with:----BEGIN PRIVATE KEY---- ----END PRIVATE KEY----or:-----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----Open Prisma Cloud Console in a browser.Navigate toManage > Authentication > System Certificates.Concatenate your public certificate and private key into a single PEM file.$ cat server.crt server.key > server-cert.pemOpen theTLS certificate for Consolesection
- Upload the PEM file into theConcatenate public cert and private key (e.g., cat server-cert.pem server-key.pem)
- ClickSave
Verify that your certs have been correctly installed.