Managing certificates for secure communications

During system setup, an initial certificate is created to use for secure connections between web browsers. This certificate is signed by the system's root CA. A new certificate should be generated which includes the relevant DNS or IP entries for the system in the Subject Alternate Name field. The System Certificates page in the management GUI suggests the DNS names if a DNS server is added to the system. If a DNS server is not added, then the management GUI suggests the IP addresses. Based on the security requirements for your system, you can create either a new self-signed certificate or install a signed certificate that is created by a third-party certificate authority. Self-signed certificates are generated automatically by the system and encrypt communications between the browser and the system. Self-signed certificates can generate web browser security warnings and might not comply with organizational security guidelines.

Signed certificates are created by external certificate authority. External certificate authorities ensure that certificates have the necessary security level for an organization based on purchase agreements. Signed certificates usually have higher security controls for encryption of data and do not cause browser security warnings.

When a self-signed certificate is generated or a signed certificate is installed, the expiration date is stored on the system. When the expiration date is less than 30 days from the expiration, a warning event is sent, indicating that the certificate is about to expire. Another event is logged when the certificate expires. Certificates must be regenerated before they expire or access to the management GUI can be disrupted. To manage certificates on the management GUI, select Settings > Security > Secure Communications.