Skip to main content

Certificate Rules

A license issued must match the certificate that is issued. For a customer-owned certificate such as *.example.com, ensure that the subdomains under xxxxxxx.example.com are not already used.
We recommend using a special Safous subdomain such as *.safous.example.com. Issue the certificate accordingly and add a single entry in the DNS server:

  • *.safous.example.com --> POP IP address

POP IP address can be either the Safous cloud name: tcp.ztna.safous.com or an internal host name of the POP server for on-premises deployment.

You cannot use a certificate with a specific subdomain and then use other subdomains such as:

  • A certificate: *.example.com
  • Using these domains: *.safous.example.com, apps.example.com, and so on

The AppGW has a wildcard certificate that covers all relevant subdomains. The POP can have only a specific certificate that covers tcp.subdomain.example.com because the POP is not presenting its certificate to the users; instead, the POP presents the AppGW certificate. Since the POP is the exposed component of the system, you should provide it with a “narrowed down” certificate.

The POP trusts the AppGW certificate based on the CA signature.

Last updated on