Auto TLS
Summary
Auto TLS enables automatic TLS between Pomerium Core and Enterprise by deriving the certificate authority (CA) and server certificates from a shared_secret
.
Auto TLS secures HTTPS and gRPC/TLS endpoints connecting the Console to the Databroker and Proxy services so you don’t have to manually generate certificates (it’s still an option for users who demand it).
How to configure
- Core
- Enterprise
- Kubernetes
Config file keys | Environment variables | Type | Usage | Default |
---|---|---|---|---|
tls_derive | TLS_DERIVE | FQDL (fully qualified domain name) | optional | none |
tls_derive
is a bootstrap configuration setting and is not configurable in the Console.
Name | Type | Usage | Default |
---|---|---|---|
--databroker-auto-tls (runtime parameter) | FQDL (fully qualified domain name) | optional | none |
When you set tls_derive
:
- A CA is derived from the
shared_secret
and is added to the list of system default CAs - An upstream route (
to
) server certificate signed by such a derived CA would be trusted - The Databroker gRPC server would use a server certificate with a provided domain name and signed by a derived CA
Examples
# config file key
tls_derive: www.example.domain.com
# environment variable
TLS_DERIVE=www.example.domain.com