Install IGEL Cloud Gateway (ICG) with Lets Encrypt

Installing the IGEL Cloud Gateway ( we will call it ICG from here on out), can be a daunting task, not because it is hard to install, it is because it relies heavily on secure certificates to be used during the install process. It is recommended to use a public Certificate Authority on your ICG, as they are trusted by most browsers out there today.

Me being so cheap, I wanted to see if there is a way I can leverage the free (trusted) certificates that are provided by Lets Encrypt. The site you are reading this post on is leveraging Lets Encrypt so we can serve all traffic securely over TLS (https://)


So, what do we need in order to get started?

  1. I am going to assume that you have the IGEL Universal Management Suite already installed, and configured correctly
  2. A server running a Linux OS. For this setup, I am going to create a pay as you go VPS to show the steps. In an enterprise environment, things would need to be configured with much more thought given to security (think DMZ, firewall rules, ports, etc).
  3. The binaries for the IGEL cloud gateway. This can be downloaded directly from the IGEL website. As of today, here is the link to the most current version (2.02.110)
  4. DNS A record pointing to the hostname of your ICG server.

As we are using Cloudflare for our DNS, it was a pretty straightforward exercise to add the needed A record which pointed to our VPS. We chose the hostname of

Now we need to login to our Linux server to install the bits needed for Lets Encrypt to issue us some certificates

There are a few commands we need to run, and they should be run in this order.

sudo apt-get update


sudo apt-get install software-properties-common

sudo add-apt-repository ppa:certbot/certbot

Hit enter to add

sudo apt-get update

Now it is time to start adding the Lets Enncrypt software.

sudo apt-get install certbot
Now that it has been installed, we need to configure Lets Encrypt by running the install and answering a few questions.

sudo certbot certonly
We want to spin up temporary webserver (standalone), so we are going to choose option 1.
We are then offered the chance to enter an email address for urgent renewal issues of the cert. This is highly recommended in a production environment.

We then need to agree to the terms of service of using the Lets Encrypt server, so hit A to agree

You need to decide if you are willing to share your email address with the Electronic Frontier Foundation. A founding partner of the Let’s Encrypt project and the non-profit organization that develops Certbot.

Now we need to chose the domain that we plan to use for our IGEL Cloud Gateway. It is very important that you verify that your DNS is configured correctly, or this will fail. For our purposed, we are going to use as our hostname

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2021-06-23. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt:
    Donating to EFF:

Now we have the certs we need. To verify, navigate to /etc/letsencrypt/live/yourdomainname/ and you should see your certificates.

We need to get a copy of those certificates onto our local machine, as they will need to be imported to UMS. I use filezilla to get the certs, but you can use whatever method works for you!

There are four certificates in total, each names something unique. Here is the explanation of what they are.

privkey.pem : the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem : used for OCSP stapling in Nginx >=1.3.7.
cert.pem : will break many server configurations, and should not be used
without reading further documentation (see link below).

Certbot expects these files to remain in this location in order
to function properly!

We recommend not moving these files. For more information, see the Certbot
User Guide at User Guide — Certbot 1.11.0.dev0 documentation.

OK, so now we have the certs, time to head to the UMS to begin the process of actually installing ICG

In UMS go to UMS Administration, Cloud Gateway Options. Here are we are going to import our root certificate from the certs we just downloaded by clicking on this icon in the top right.

The first cert we need is chain.pem, so let’s import that.

OK, that looks good. We now need to right click on that certificate and choose

Import Signed Certificate
We then browse to the certificate location and choose cert.pem

Our cert chain should now look like this.
The final step in the certificate process is to import the decrypted private key. So right click on the cert, and choose

Import Decrypted Private Key
We are going to choose privkey.pem


Now we are ready to export the keystore.icg file that the ICG appliance really needs. We need to right click on the certificate and choose
Export certificate chain to IGEL Cloud Gateway key store format

Save the cert somewhere that it is easy to locate, as we will need it shortly.

We now need to navigate to UMS Administration and chose IGEL Cloud Gateway and choose

Install new IGEL Cloudgateway

If you see something similar to the below, then you are on the right track.

Click next to continue

Accept the IGEL license agreement

Now we need to provide credentials to our ICG server, and the path to the .bin file that we downloaded earlier.

Hit next, and we are off to the races!

49 seconds! Not bad.

Configure a proxy server if you have one.

After all that, we are done!