Platform access

EVERTRUST Cloud instances are accessed through the Internet. Each deployed Instance is assigned a unique domain name with the following naming format: <product>.<customer>.<environment>.evertrust.io, where:

  • <product> is either ra, ca or va;

  • <customer> is either the customer identifier or an anonymous generated name, upon customer demand;

  • <environment> is either staging for staging environments and cloud for production.

Custom domain

A custom domain can be configured for an instance by setting up a CNAME record pointing to the EVERTRUST-provided endpoint. It will have to be whitelisted by submitting a request to EVERTRUST’s support, and will afterward be available alongside the default EVERTRUST endpoint. It is not possible to disable the EVERTRUST-provided endpoint.

To configure clm.customer.com as an alias for an instance, the following record should be created :

clm.customer.com. IN CNAME 3600 clm.customer.cloud.evertrust.io.

IP whitelisting

Outbound traffic (customer)

EVERTRUST Cloud instances are exposed on Internet behind load balancers. These load balancers use IP addresses that may change over time, in case of maintenance or scaling operations. To ensure proper connectivity from your infrastructure to EVERTRUST Cloud instances, if you use outbound IP whitelisting, EVERTRUST publishes the list of IP addresses used by its load balancers in a public text file, available at the following URL:

https://raw.githubusercontent.com/evertrust/ip-addresses/main/ips.txt

The list provided at this URL is updated automatically when changes occur. It is recommended to use this URL as a source for your outbound IP whitelisting configuration, if applicable, as IPs may be added or removed with a 48-hour notice.

Inbound traffic

It is recommended to configure inbound IP whitelisting to restrict which addresses or ranges that are authorized to connect to your cloud instance from the Internet.

Two types of ranges can be whitelisted:

  • static CIDRs

  • third-party services

Third party services are IP ranges from providers that are maintained by EVERTRUST. They can be used if you rely on such a third party, such as Microsoft Entra or Okta for SCIM provisioning. The following third-party services are supported:

  • Microsoft Entra

  • Okta

  • Jamf

If a connection from a non-whitelisted address reaches the firewall, it will be dropped before reaching the application server.

Ingress configuration

Trust anchors

Multiple Root CAs are used for redundancy purposes. Public certificates used by the load balancer are issued by one of the following Root CAs:

Make sure your clients trust these Root CAs to ensure operational continuity.

As of January 2025, custom certificates are no longer supported for TLS termination of public endpoints. Private endpoints are not affected by this change, and you’re still responsible for managing the certificates used for private endpoints.

TLS termination

The following ciphers are accepted for TLS termination :

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • ECDHE-RSA-CHACHA20-POLY1305

  • DHE-RSA-AES128-GCM-SHA256

  • DHE-RSA-AES256-GCM-SHA384