Skip to content

Manage TLS for Private Endpoint

For private Elastic Stack deployments, users must provide a TLS certificate for the private domain associated with their deployment.

Since OpsFlw cannot issue certificates on behalf of customer domains, the certificate must be obtained from your own certificate authority or issuer and uploaded through the OpsFlw portal.

Once uploaded, the certificate will be automatically applied to the private endpoint.

Because the certificate is issued by your organization, you are responsible for managing its lifecycle, including renewals and updates.

All certificate management operations are performed through the OpsFlw portal.

Certificate provisioning options

Users have two options for providing certificates.

Option 1 — Generate and sign a CSR

  1. Navigate to the OpsFlw portal.

  2. Generate and download the Certificate Signing Request (CSR) for your deployment.

  3. Submit the CSR to your certificate issuer, such as your internal CA or a public certificate provider.

  4. Once the certificate is issued, upload the public certificate through the portal.

The platform will automatically apply the certificate to the private endpoint.

Option 2 — Upload your own certificate and private key

If you already have a certificate and private key, you can upload them directly.

You must combine the certificate and key into a single PEM chain file using the following format:

-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
yyy
-----END RSA PRIVATE KEY-----

Ensure that the certificate includes all private URLs used to access the deployment as Subject Alternative Names (SANs). Connections may fail if the accessed hostname is not present in the certificate SAN list.

Once uploaded, your custom certificate and key will be used for the private endpoint deployment.

Including intermediate certificates

If your certificate chain includes intermediate certificates, they can be included in the uploaded file.

Append intermediate certificates after the leaf certificate.

Example:

-----BEGIN CERTIFICATE-----
leaf cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate cert(s)
-----END CERTIFICATE-----

Applying certificate changes

After uploading or updating a certificate, the changes are automatically applied to the deployment.

Propagation typically takes 5–10 minutes.