Import a Proxy Certificate for TLS Inspection

Overview

Import a trusted proxy certificate into TOS when your organization uses a proxy that performs TLS inspection for outbound SaaS traffic. This ensures that TOS can successfully establish encrypted connections through the proxy.

Prerequisites

  • You have CLI access to the TOS server.

  • You have exported the trusted root certificate from your proxy server.

  • If using a certificate file, it has been transferred to the TOS server using SFTP.

  • If using a Base64-encoded certificate, the encoded string is available.

  • Your environment uses a proxy that performs TLS inspection.

  • In a distributed deployment, import the certificate on the Central Server and on each Remote Collector that monitors devices through the proxy.

Importing or updating a proxy certificate restarts the ST server and causes approximately 5–7 minutes of monitoring downtime. Perform this procedure during a planned maintenance window.

Steps

  1. Access the TOS server CLI.

  2. Import the certificate using one of the following methods:

    • If you already have a Base64-encoded certificate string, run:

      tos config set -p <proxyPrefix>.proxyCertificate=<BASE64_ENCODED_CERT_CONTENT>

    • If you have the certificate file, run:

      tos config set -p "<proxyPrefix>.proxyCertificate=$(base64 < /path/to/certificate.crt | tr -d '\n')" -c

    Replace:

    • <proxyPrefix> with a unique name for the proxy. The suffix .proxyCertificate is mandatory.
    • /path/to/certificate.crt with the full path to your certificate file.

  3. Verify that the command completed successfully.

  4. (Optional) To replace an existing certificate, run the same set command again with the updated certificate.

  5. (Optional) To remove a certificate, run:

    tos config reset -p <proxyPrefix>.proxyCertificate