Import a Proxy Certificate for TLS Inspection

Overview

Import a trusted proxy certificate into TOS when your organization uses a proxy that performs TLS inspection for outbound SaaS traffic. This ensures that TOS can successfully establish encrypted connections through the proxy.

Prerequisites

• You have CLI access to the TOS server.

• You have exported the trusted root certificate from your proxy server.

• If using a certificate file, it has been transferred to the TOS server using SFTP.

• If using a Base64-encoded certificate, the encoded string is available.

• Your environment uses a proxy that performs TLS inspection.

Steps

1. Access the TOS server CLI.

2. Import the certificate using one of the following methods:

   • If you already have a Base64-encoded certificate string, run:

     tos config set -p <proxyPrefix>.proxyCertificate=<BASE64_ENCODED_CERT_CONTENT>

   • If you have the certificate file, run:

     tos config set -p "<proxyPrefix>.proxyCertificate=$(base64 < /path/to/certificate.crt | tr -d '\n')" -c

   Replace:

   • <proxyPrefix> with a unique name for the proxy. The suffix .proxyCertificate is mandatory.
   • /path/to/certificate.crt with the full path to your certificate file.

3. Verify that the command completed successfully.

4. (Optional) To replace an existing certificate, run the same set command again with the updated certificate.

5. (Optional) To remove a certificate, run:

   tos config reset -p <proxyPrefix>.proxyCertificate