Certificates for sidecars
The Cyral sidecar will by default install its own certificate as part of the deployment process, which we refer to as sidecar-created certificate. You may also choose to provide your own certificate, signed by yourself or the Certificate Authority (CA) of your choice, which we refer to as custom certificates. The diagram below summarizes the different options you have for creating the sidecar certificate.
The sidecar-created certificate is automatically installed during sidecar deployment and will live as long as the sidecar is deployed. It is a single certificate shared among multiple sidecar instances and will not be replaced during sidecar upgrades.
This certificate corresponds to the sidecar DNS name you provided
during deployment. If you did not provide a DNS name, the certificate
uses the DNS name
Custom certificates are self-signed or CA-signed certificates managed outside the sidecar template. Cyral helps you deploy Let's Encrypt-signed certificates or your own certificates (ones that you've self-signed or had signed by the CA of your choice).
Once you've deployed a custom certificate, you can associate it with your sidecar using the Cyral control plane or Cyral Terraform Provider.
Associate the custom certificate using the control plane
Once your custom certificate is deployed, provide a secret ID to the control plane. The secret ID is an ARN (in case of a CloudFormation- or Terraform-deployed AWS sidecar), or the secret name (in case of a Helm-deployed sidecar).
Open the Sidecars screen.
Select the desired sidecar.
Open the Advanced tab.
Enable the toggle Use custom certificate for TLS connections.
Provide the secret ID in the text field:
Associate the custom certificate using the Terraform provider
In the Cyral Terraform provider version v2.6.0 and later,
cyral_sidecar resource supports a parameter
that can be used to set up your custom certificate. See the
official provider documentation
for more information.
Store a certificate for the sidecar
To deploy custom certificates for your chosen deployment method, see: