HCP for cloud scale uses SSL to provide secure incoming and outgoing communication for the product applications and mTLS for external encryption key management.
To enable secure socket layer (SSL) security, you need a valid server certificate or chain of certificates for incoming communication and a valid client certificate for outgoing communication.
The system comes with its own self-signed SSL system certificate, which is generated and installed automatically when the system is installed. This certificate is sufficient for some purposes but not automatically trusted by web browsers. For production systems the best practice is to obtain and use a certificate from a certificate authority (CA).
If you choose to replace the self-signed system certificate, do one of the following:
- Upload a PKCS12 format certificate chain from a CA.
- Download a certificate signing request (CSR) and use it to obtain, upload, and apply a certificate signed by a CA.
- Generate and apply a new self-signed SSL server certificate. You might do this, for example, if the current certificate is close to expiring and you are waiting to retrieve a new one from your CA.
For outgoing communication, such as to storage components, you need to upload the certificate used by clients. However, you don't need to upload the client certificate if it's valid and trusted by a CA.
HCP for cloud scale supports mutual transport layer security (mTLS) v1.2 (not recommended), v1.3, or later to support data in flight encryption with an external key management system (KMS). Establishing mTLS requires an exchange of certificates between the system and the KMS.