By default Privacera creates self-signed SSL certificates for accessing the web interfaces and REST endpoints.
You have the option to supply your own self-signed or CA-signed SSL certificates.
If you provide your own CA-signed certificate and if you rely on the Subject Alternative Name (SAN) field, be sure you specify all of your domains in the certificate's SAN field so that all necessary hostnames (such as your containers) and distributed Privacera services can communiate securely.
You should avoid using wildcards (*) in the SAN field. Wildcard certificates can create significant security risks because the same private key is used across multiple systems, thereby increasing the risk of compromise across your organization.
If you are using Privacera Encryption, then there is an option to store the master key in external HSM. If you intend to use external HSM, then the following are supported.
Encryption Key for StorageClass
If you are deploying Privacera in Kubernetes and if you are using encrypted StorageClass, the key that you used will be needed during configuring Privacera.