Skip to content

AQtive Guard Protect

AQtive Guard (AQG) Protect extends the comprehensive visibility you get from AQtive Guard Discover by providing automated cryptographic management capabilities. It centralizes certificate management into a single framework, simplifying operations and ensuring full visibility and control over how certificates are created, stored, and used.

Without proper lifecycle management, observability, and automation, certificates can become systemic vulnerabilities. AQG Protect addresses these challenges with features like automated short-lived certificate rotation and seamless integration, helping you mitigate risks and streamline operations.

How it works

This section provides a technical overview of the Protect module’s architecture and how the protect-client integrates into your environment to manage cryptographic assets.

Deployment model

The Protect module is designed to work where TLS is terminated at a proxy, API gateway, or load balancer that can be configured for PKCS#11 offloading. The deployment architecture follows a one-to-one mapping, with a single protect-client sidecar deployed per web server.

The protect-client is a binary that can be installed as a systemd service, or packaged as a Docker image for use in containerized environments.

Certificate manageability

Before a certificate can be enrolled in Protect, it must meet the following criteria:

  • A private key is associated with the certificate.
  • The cert/key is found in a whitelisted file path (for example matching NGINX, Apache, or Certbot locations).
  • The certificate has not already been enrolled in Protect.

Key and certificate storage

Protect doesn’t use persistent storage on the protect-client sidecar. Secret keys are stored in a memory cache and are erased when the service shuts down. A copy of the key is stored in secure back-end storage (such as AWS Secret Store or Hashi Vault) for long-term retention.

Protect management actions

The actions performed by Protect depend on the management type:

  • Key generation - For Fully Managed certificates, Protect automatically handles all key generation. New keys are created when a certificate is first issued and each time it’s rotated.

    Note

    Key generation is not performed for certificates enrolled as Store and Track.

Communication and security

Communication between the protect-client and the AQG backend is secure. Certificate rotation is handled through the ACME protocol. Authentication and authorization of the protect-client are managed through OAuth2 machine credentials. The workloadID is used to identify which protect-client instance to communicate with for enrollment and rotation actions.

Configuration and integration

Manual configuration of the web server is required to offload communications to the protect-client. An additional backend service, protect-cert-sync, periodically checks for new certificate/key versions and reloads the web server to apply the changes.