Installation
      Back to home
      1. Support Center
      2. Safous ZTA Admin Guide
      3. Installation

      Certificate Rules

      A license issued must match the certificate that is issued. For a customer-owned certificate such as *.<company>.com, ensure that the subdomains under xxxxxxx.<company>.com are not already used.
      We recommend using a special Safous subdomain such as *.safous.<company>.com. Issue the certificate accordingly and add a single entry in the DNS server:
      • *.safous.<company>.com ==> <POP IP address>
      <POP IP address> can be either the Safous cloud name: tcp.ztna.safous.com or an internal host name of the POP server for on-premises deployment.

      You cannot use a certificate with a specific subdomain and then use other subdomains such as:
      • A certificate: *.<company>.com
      • Using these domains: *.safous.<company>.com, apps.<company>.com, and so on
      The AppGW has a wildcard certificate that covers all relevant subdomains. The POP can have only a specific certificate that covers tcp.<subdomain>.<company>.com because the POP is not presenting its certificate to the users; instead, the POP presents the AppGW certificate. Since the POP is the exposed component of the system, you should provide it with a “narrowed down” certificate.

      The POP trusts the AppGW certificate based on the CA signature.