How can I get App Gateway SSL Certificate Manually?

By default, App Gateway can automatically update the SSL certificate (not Safous ZTNA License) of the system without any human interruption. That can be done as long as the all Pre-requisite that requires by Safous ZTNA Service already fulfilled. In some customer cases, they have very restricted company policy for internet outbound connection so the App Gateway cannot update the SSL that triggered by system.

This article will give you information on how to manually update the SSL certificate with assumption your are using LinuxOS on your local machine. If you are using Windows OS for your local machine please refer to each of your respective SSH/SCP third party client that you use.


  1. Ensure you have access to your App Gateway host by remotely
  2. Retrieved /etc/safous/.config file from the App Gateway to your local machine. Below is the example command to retrieved it by using SCP command:
    scp -P <port_number> -l <username> <app_gw_ip_addr>:/etc/safous/.config .
  3. Check whether the file already retrieved in your local machine
  4. Once you ensure you have the correct file please run this command from your local machine:
    bash < <(. ./.config && curl -s -u "${CERT_AUTH}"
  5. Previous command will create new folder name "certs" in current working directory. Please check whether it contains certs.pem and key.pem files or not
  6. If those 2 two files exist, now you can upload those files back to App Gateway host. Below is the example command to upload it by using SCP command:
    scp -P <port_number> certs.pem -l <username> <app_gw_ip_addr>:/tmp/
    scp -P <port_number> key.pem -l <username> <app_gw_ip_addr>:/tmp/
  7. Login to your App Gateway host, and please ensure those to files has existed in /tmp/ directory
  8. Run this command to replace the SSL certificate:
    sudo cp /tmp/certs.pem /etc/cyolo/certs/
    sudo cp /tmp/key.pem /etc/cyolo/certs/
  9. Run this command to update certificate in Safous system:
    sudo docker-compose -f /etc/cyolo/config/docker-compose.yml restart idac
  10. Check your tenant User Portal certificate in the browser