Auto TLS
Summary
Auto TLS enables automatic TLS between Pomerium Core and Enterprise by deriving the certificate authority (CA) and server certificates from a shared_secret.
Auto TLS secures HTTPS and gRPC/TLS endpoints connecting the Console to the Databroker and Proxy services so you don’t have to manually generate certificates (it’s still an option for users who demand it).
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Usage | Default |
|---|---|---|---|---|
tls_derive | TLS_DERIVE | FQDL (fully qualified domain name) | optional | none |
Examples
tls_derive: www.example.domain.com
TLS_DERIVE=www.example.domain.com
tls_derive is a bootstrap configuration setting and is not configurable in the Console.
| Name | Type | Usage | Default |
|---|---|---|---|
--databroker-auto-tls (runtime parameter) | FQDL (fully qualified domain name) | optional | none |
When you set tls_derive:
- A CA is derived from the
shared_secretand is added to the list of system default CAs - An upstream route (
to) server certificate signed by such a derived CA would be trusted - The Databroker gRPC server would use a server certificate with a provided domain name and signed by a derived CA