Adding TLS Trusted Certificates

Last Updated : Nov 17, 2023 |

About this task

A Transport Layer Security (TLS) certificate is issued by a Certificate Authority (CA) to the owner of a domain name. The TLS certificate contains information about the owner and the public key of server. To add a trusted certificate to the certificate repository, download the PEM format file, with extensions as .crt, .pem, .cer to the /var/home/ftp/pub directory, manually or using the Downloading the Certificate section.

The trusted Certificates are used to validate your Server or Application certificate installed below and the certificates presented by the other server in a TLS connection. You can install multiple trusted certificates.

This task must be performed on both main Communication Manager and LSP.

If a reverse proxy is present its certificates must be authenticated using the Trusted Certificates loaded on the LSP and main Communication Manager server.

Note:

By default, TLS mutual authentication is enabled on main Communication Manager server for the Websocket Edge connections.

An administrator can disable or enable mutual authentication on main Communication Manager server using the awtun_config Linux shell command:

  • awtun_config disable mut-tls

  • awtun_config enable mut-tls

Procedure

  1. On the SMI page, navigate to Administration > Server (Maintenance).
  2. In the Security section, click Trusted Certificates.
  3. Click Add, to add a certificate to the server. The Communication Manager SMI displays the Trusted Certificates – Add page.
  4. Enter the filename of the pem certificate that you want to add.

    The pem certificate must be placed in the /var/home/ftp/pub directory.

  5. Click Open to validate the certificate.
    After successful verification, the Trusted Certificates – Add page shows the issued-to, issued by, and expiration date information for the certificate to be added.
    Note:
    If the file does not contain a valid certificate, the Communication Manager SMI displays an error message instead of the certificate content.
  6. Reenter the filename to save the certificate.
  7. Select the Edge Friendly repository check box.

    If the reverse proxy (or Application Delivery Controller (ADC)) is used to setup the connection to main Communication Manager server, reverse proxy trusted certificates must be loaded to setup the HTTPS connection between the LSP and the reverse proxy and between the reverse proxy and the main Communication Manager server. For more information on Trusted certificates, see Trust certificates.

    A certificate is required for the Communication Manager repository and is used to verify the tunneled connection to the main Communication Manager server, this could be the same certificate used for the Edge Friendly or a different certificate.

  8. Click Add button.
    The Communication Manager SMI verifies the following:

    1. If the file name does not end with a crt extension, the system deletes the entered extension and replaces with a crt extension before creating the file.

    2. The SMI page verifies if the file name is unique and does not already exist.

    3. The SMI page verifies if a certificate is not duplicated using a new file name.
      Note:
      If you fail to install a certificate in one repository, it does not affect the installation in other repositories.