Configuring secure communications

During system setup, an initial certificate is created to use for secure connections between web browsers. This certificate is signed by the system's root CA. A new certificate should be generated which includes the relevant DNS or IP entries for the system in the Subject Alternate Name field. The System Certificates page in the management GUI suggests the DNS names if a DNS server is added to the system. If a DNS server is not added, then the management GUI suggests the IP addresses. Based on the security requirements for your system, you can create either a new self-signed certificate or install a signed certificate that is created by a third-party certificate authority. Self-signed certificates are generated automatically by the system and encrypt communications between the browser and the system. Self-signed certificates can generate web browser security warnings and might not comply with organizational security guidelines.

Signed certificates are created by external certificate authority. External certificate authorities ensure that certificates have the necessary security level for an organization based on purchase agreements. Signed certificates usually have higher security controls for encryption of data and do not cause browser security warnings.

Before you create a request for a certificate, ensure that your current browser does not have restrictions on the type of keys that are used for certificates. Some browsers limit the use of specific types of keys for security and compatibility issues. If your system supports key server-based encryption, the system also uses certificates to secure communications between key servers that are used to distribute and manage encryption keys to the system. If a certificate is changed, the certificate must also be updated on all configured key servers, or access to encrypted data can be lost.

If the system certificate is signed by an intermediate certificate authority (CA), then the full chain of certificates must be installed. To install the signed certificate and certificate authority (CA) certificates, create a single file that contains the full chain of certificates. The file should include the signed certificate and the intermediate CA certificates. The root CA certificate can be included but is optional.

To manage the certificate that is installed on a system, use either the svctask chsystemcert command-line interface (CLI) command or click Settings > Security > Secure Communications in the management GUI to do the following tasks:

• Generate a new SSL certificate signed by the internal root CA.
• Create a certificate request that is copied from the system and signed by a certificate authority.
• Install the signed certificate that is returned by the certificate authority.
• Export the current SSL certificate.
• Replace a certificate that expired or is about to expire.