Configure Comply TLS certificates for a custom NGINX ingress
You need to generate certificates for Comply in Puppet Enterprise (PE) to enable automatic upgrades of the CIS-CAT assessor and for tasks to upload reports.
Before you begin
Make sure you have configured Comply in Puppet
Application Manager (PAM) and you have followed the instructions in Configure Comply for a custom NGINX ingress (online environment) or Configure Comply for a custom NGINX ingress (offline environment) as appropriate to your implementation.Certificates are required when setting up Comply for the following interactions:
- Interactions between Comply and PE. Interactions between Comply and PE require correct configuration of the CA certificate. Any issues with the CA certificate with regard to communication between Comply and PE result in an error on the Comply UI.
- Agent runs. If you have set up the Comply module to download the assessor from the Comply server (as opposed to being hosted locally) then the assessor is downloaded using MTLS with the client certificate from the node. The Comply mtls-proxy component requires the configured TLS and CA certificate.
- Scan task runs. Running a scan sends reports back into Comply via an HTTP POST. This POST goes through the mtls-proxy and uses MTLS with the client certificate from the node.
Configuring Comply TLS certificates involves first generating the certificates in Puppet Enterprise (PE) and then setting up MTLS in PAM. MTLS enables a secure authenticated connection between your nodes and Comply.
For information on troubleshooting problems with certificates, see Troubleshooting TLS issues in Comply.
What to do next
Install the comply
module.