Platform access

EVERTRUST Cloud instances are accessed through the Internet. Each deployed Instance is assigned a unique domain name with the following naming format: <product>.<customer>.<environment>.evertrust.io, where:

  • <product> is either ra, ca or va;

  • <customer> is either the customer identifier or an anonymous generated name, upon customer demand;

  • <environment> is either staging for staging environments and cloud for production.

Custom domain

A custom domain can be configured for an instance by setting up a CNAME record pointing to the EVERTRUST-provided endpoint. It will have to be whitelisted by submitting a request to EVERTRUST’s support, and will afterward be available alongside the default EVERTRUST endpoint. It is not possible to disable the EVERTRUST-provided endpoint.

To configure clm.customer.com as an alias for an instance, the following record should be created :

clm.customer.com. IN CNAME 3600 clm.customer.cloud.evertrust.io.

IP whitelisting

It is recommended to configure IP whitelisting to restrict outbound IP addresses that are authorized to connect to your cloud instance.

Two types of ranges can be whitelisted:

  • static CIDRs

  • third-party services

Third party services are IP ranges from providers that are maintained by EVERTRUST. They can be used if you rely on such a third party, such as Microsoft Entra or Okta for SCIM provisioning. The following third-party services are supported:

  • Microsoft Entra

  • Okta

  • Jamf

If a connection from a non-whitelisted address reaches the firewall, it will be dropped before reaching the application server.

Ingress configuration

Trust anchors

Multiple Root CAs are used for redundancy purposes. Public certificates used by the load balancer are issued by one of the following Root CAs:

Make sure your clients trust these Root CAs to ensure operational continuity.

As of January 2025, custom certificates are no longer supported for TLS termination of public endpoints. Private endpoints are not affected by this change, and you’re still responsible for managing the certificates used for private endpoints.

TLS termination

The following ciphers are accepted for TLS termination :

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • ECDHE-RSA-CHACHA20-POLY1305

  • DHE-RSA-AES128-GCM-SHA256

  • DHE-RSA-AES256-GCM-SHA384