Set up TLS Encryption

Dec 20th 2025

The TLS protocol provides a security tunnel on top of any conversation over the network. It is a mature, well-established protocol for security, and most modern industrial protocols offer a TLS option.

Unfortunately, not all end devices support TLS encryption, and certificate management is often too onerous to be widely deployed in facilities.

Access Gate has built-in capabilities to create transparent tunnels over critical assets, which are especially useful to expose a device over a larger network.

Prerequisite

Access Gate should be installed and both its Admin and Secure Twin port configured. You should also have a client compatible with TLS, and a certificate authority deployed in your organization.

Most protocols can be secured using TLS, but we will focus in this how-to on HTTP, as a widely available option. We are going to secure access to the administrative interface of a Linksys managed router, which lacks encryption (and therefore is vulnerable to password sniffing).

Assets in Access Gate

The managed switch and the clients should be registered as assets, on the right vnets (they do not need to be on the same vnet, as long as both are managed by Access Gate.).

With both devices (Lab Switch and Tester in this example) registered and added to the same enclave, we need to set up TLS encryption.

Generating a TLS intermediate certificate

Access Gate needs certificates to create the TLS tunnel. For added security, Access Gate actually manages a two-level certificate list:

  • an intermediate certificate is signed by your certificate authority, and never leaves the device
  • terminal certificates are generated on the fly thanks to the intermediate certificate, and sent to devices on the network for secure communication establishment.

TLS tunnels are enabled in the Settings > Networking page. Click on “Generate CSR” (CSR = certificate signing request) to obtain the signing document, and sign it with your root authority. Upload the resulting intermediate certificate with the “Upload SCA”.

Mandating encryption for access

Back to the Enclave page, Allow access and select the more advanced option “TLS only”. The display updates to reflect your choice.

At this point, TLS is all set and ready for use – for example navigate to the web page and check the lock sign on your browser bar to check.

Troubleshooting steps

TLS encryption is very sensitive to correct certificate configuration – you need to make sure your certificate authority has:

  1. Enough time validity (usually 10 years) to sign the certificate request
  2. The correct depth to issue terminal certificate (it should be at least 2: one for the intermediate, and one for the final certificate)
  3. If you are using domain limitations on the certificate authority (a good practice!), check that all vnets names are covered by the domain limit
  4. The

By default, Access Gate TLS proxy is configured to strike a reasonable balance between modern (and secure!) algorithms, and wide support. If you have specific requirements (very old device, NIST compliance), please reach out to your sales contact to discuss more advanced licensing levels.