Imperva — Custom Certificate Wizard (POC)

Step 1 — API Credentials

Saved in browser memory only.

API ID

API Key

Not set

Show API ID / Key

Enter credentials, then continue.

Step 2 — Upload Certificate + Private Key

We’ll parse SAN + chain before matching to a site.

Server Certificate (PEM)

⤒

Drop server cert here

Must include leaf + intermediate cert(s). (PEM)

Private Key (PEM)

🔑

Drop private key here

We’ll base64-encode for upload; password not required for encoding.

Private Key Passphrase (optional)

Only needed if the private key is encrypted.

Upload both files to continue.

Step 3 — Site Information Detected

Certificate + Imperva SSL status + confirmation

Site Status (raw)

(endpoint placeholder)

—

I confirm this is the correct site

Next will enable once: cert chain is OK, site is matched, status is loaded, and you confirm the site.

Step 4 — Verify in Requests

Probe what certificate is being presented on port 443

This performs a server-side TLS probe (SNI enabled) to capture the currently presented leaf cert fingerprint and compare it to the uploaded certificate.

Hostname to probe

Tip: defaults to the Primary SAN from your uploaded certificate.

Actions

Step 5 — Rotate Cert

Remove account cert → request site cert → confirm both

This step will remove the existing Account certificate, then request a Site managed certificate. Your Custom certificate remains in place.

Account Certificate

—

Custom Certificate

—

Site Certificate

Not requested

Ready.

What’s next (after this scaffold)

We’ll build these once Step 2 is confirmed.

Validate private key matches leaf certificate (SPKI / modulus).
Upload the custom cert to Imperva for the matched site (endpoint TBD).
Probe HTTPS from a chosen vantage point to confirm the presented cert fingerprint is the uploaded one.
Remove the existing Account cert and request a new Site cert (endpoints TBD).