Skip to main content
Version: v4.8

Certificates for sidecars

The Cyral sidecar requires certificates to communicate in a secure way. The Cyral sidecar will by default install its own certificates as part of the deployment process, which we refer to as sidecar-created certificates. You may also choose to provide your own certificate, signed by yourself or the Certificate Authority (CA) of your choice, which we refer to as custom certificates.

Sidecar certificate types

The sidecar uses two types of certificate: a TLS certificate, and a CA certificate.

TLS. The TLS certificate is used handle TLS connections terminated at the sidecar. This is used by all Cyral repository types when communicating with TLS terminated at the sidecar.

CA. The CA certificate is used by the sidecar when it is acting as a proxy. It is not used for all Cyral repository types. Repository types that use this certificate include S3 and DynamoDB.

Sidecar-created certificate

If custom certificates are not provided by you, the sidecar will automatically install self-signed certificates. For those deployment templates provided by Cyral, these certificates will live as long as the sidecar is deployed. They are shared amongst multiple sidecar instances and will not be replaced during sidecar upgrades. If you are managing your own deployment code by using the Linux sidecar or managing directly a docker-based sidecar, the self-signed certificate will be automatically created per instance and you are responsible for providing a custom certificate should you want to share the same certificate across multiple instances.

The sidecar-created certificate domains correspond to the sidecar DNS name you provided during deployment. If you did not provide a DNS name, the certificate uses the DNS name

Custom certificate

Custom certificates are self-signed or CA-signed certificates managed outside the sidecar template. These certificates are not provided by Cyral. You must manually create them and manage their validity.

Once you've deployed a custom certificate, you can associate it with your sidecar by providing it to the deployment template you are using. This can be specified during a sidecar creation or upgrade.


It is your responsibility to manage the validity and renewal of a custom certificate. None of the templates will renew or control the validity of the certificate.

Store a certificate for the sidecar

To deploy custom certificates for your chosen deployment method, see: