Skip to main content
Version: v4.1

Certificates for sidecars

The Cyral sidecar will by default install its own certificate as part of the deployment process, which we refer to as sidecar-created certificate. You may also choose to provide your own certificate, signed by yourself or the Certificate Authority (CA) of your choice, which we refer to as custom certificates. The diagram below summarizes the different options you have for creating the sidecar certificate.

Sidecar-created certificate

The sidecar-created certificate is automatically installed during sidecar deployment and will live as long as the sidecar is deployed. It is a single certificate shared among multiple sidecar instances and will not be replaced during sidecar upgrades.

This certificate corresponds to the sidecar DNS name you provided during deployment. If you did not provide a DNS name, the certificate uses the DNS name

Custom certificate

Custom certificates are self-signed or CA-signed certificates managed outside the sidecar template. Cyral helps you deploy Let's Encrypt-signed certificates or your own certificates (ones that you've self-signed or had signed by the CA of your choice).

Once you've deployed a custom certificate, you can associate it with your sidecar using the Cyral control plane or Cyral Terraform Provider.

Associate the custom certificate using the control plane

Once your custom certificate is deployed, provide a secret ID to the control plane. The secret ID is an ARN (in case of a CloudFormation- or Terraform-deployed AWS sidecar), or the secret name (in case of a Helm-deployed sidecar).

  1. Open the Sidecars screen.

  2. Select the desired sidecar.

  3. Open the Advanced tab.

  4. Enable the toggle Use custom certificate for TLS connections.

  5. Provide the secret ID in the text field:

Associate the custom certificate using the Terraform provider

In the Cyral Terraform provider version v2.6.0 and later, the cyral_sidecar resource supports a parameter certificate_bundle_secrets that can be used to set up your custom certificate. See the official provider documentation for more information.

Store a certificate for the sidecar

To deploy custom certificates for your chosen deployment method, see: