Configuring Certificates

This section describes the use of public key certificates. Public key certificates and their trust chains provide a mechanism to digitally identify a system without having to manually exchange any secret information.

A public key certificate is a blob of data that encodes a public key value, some information about the generation of the certificate, such as a name and who signed it, a hash or checksum of the certificate, and a digital signature of the hash. Together, these values form the certificate. The digital signature ensures that the certificate has not been modified.

The appliance supports customer-owned certificates. The life cycle of a certificate starts with generating a certificate signing request (CSR). The CSR is then sent to the certificate authority (CA) for signature. After the signed certificate is returned from the CA, it can be installed on the appliance. If a certificate is signed by a non-root CA, you must also obtain certificates from the second- and higher-level CAs.

You can manage the following two types of certificates:

• System certificates identify the current system.

• Trusted certificates identify remote systems.

To manage system certificates, use the following tasks:

• Creating a New System Certificate - BUI, CLI

• Uploading CA Certificates from Non-root CAs - BUI, CLI

• Viewing CSR and System Certificate Details - BUI, CLI

• Destroying a CSR or System Certificate - BUI, CLI

• Setting the Appliance or Default System Certificate - BUI, CLI

To manage trusted certificates, use the following tasks:

• Uploading a Trusted Certificate - BUI, CLI

• Viewing Trusted Certificate Details - BUI, CLI

• Destroying a Trusted Certificate - BUI, CLI

• Assigning a Certificate to a Service - BUI, CLI

To use HTTP Strict Transport Security (HSTS) in conjunction with certificates, see the following topic: HTTP Strict Transport Security