Identity Cloud

SSL certificates

Inbound connections

ForgeRock domains

Identity Cloud uses Google-managed SSL certificates to secure inbound traffic to the forgeblocks.com and forgerock.io domains used by your tenant environments.

Custom domains

Google-managed SSL certificates (default)

If you use a custom domain to access Identity Cloud, by default a Google-managed SSL certificate is used to secure inbound traffic to the domain. The domain is added to the certificate’s Subject Alternative Name (SAN) field.

Self-managed SSL certificates

Identity Cloud offers you the choice of using a self-managed SSL certificate with your custom domain, in place of the default Google-managed SSL certificate.

For information about how to set up your own certificate, refer to Configure a self-managed SSL certificate.

DV and EV certificates

Providing your own Domain Validation (DV) or Extended Validation (EV) SSL certificate can give your end users extra confidence that your applications are secure. Most browser vendors have now removed the visual signals in the browser address bar that distinguished these certificates (green padlock, highlighted company name, highlighted https protocol). However, the additional EV certificate information is still available when you click the padlock in the browser address bar and inspect the certificate:

Standard SSL certificate:

EV SSL certificate:

browser ssl padlock info

browser ssl certificate info

browser ssl padlock info ev

browser ssl certificate info ev
Wildcard certificates

Wildcard certificates allow subdomains of the same domain to share a certificate in the following ways:

  • Within the same realm

  • Across different realms

  • Within the same realm and across different realms

For example, a certificate for the wildcard domain "*.example.com" could be shared between an Alpha realm using the subdomain "customers.example.com" and a Bravo realm using the subdomain "employees.example.com".

Similarly, the same certificate could be shared between subdomains "employees-emea.example.com" and "employees-apac.example.com" within the same Alpha or Bravo realm.

Outbound connections

Identity Cloud lets you secure outbound traffic from your tenant environments to your own network; for example, you may want to secure outbound emails from your Identity Cloud tenant environments to your on-premises SMTP server.

To do this, you supply your own CA or TLS certificates to ForgeRock. ForgeRock then adds the certificates into the trust store of your tenant environments. You can supply as many certificates as you need.

Send ForgeRock a CA or TLS certificate

  1. Go to ForgeRock Support, and click ForgeRock Identity Cloud.

  2. Click Identity Cloud: Config Request from the ForgeRock Identity Cloud options.

  3. In the Request Type section, provide values for the following fields:

    Field Value

    Hostname(s)

    Enter a comma-separated list of FQDNs for your sandbox[1], development, UAT[2], staging, and production tenant environments.

    What would you like to do?

    Select Add CA or TLS certificate to tenant trust stores.

    Do you give permission for ForgeRock to access and make changes to your environment?

    Select Yes to allow ForgeRock Support to access your environments.

  4. In the Upload tab of the Upload your files section:

    1. (Optional) Select a storage region for your certificate from the region drop-down list.

    2. Click Select files…​ to open a local file explorer:

      1. Locate a local file containing your certificate, then select it.

      2. Click Open to confirm the local file selection. This also closes the local file explorer.

  5. Click Submit to create the support ticket with your certificate attached.

  6. ForgeRock Support confirms when the certificate has been imported into the trust stores of your tenant environments.

Copyright © 2010-2023 ForgeRock, all rights reserved.