Experience Portal servers use the TLS protocol for all the inbound and outbound secure communication, including the following:

• Communication from one Experience Portal server to another Experience Portal server.

• Communication from an Experience Portal server to external network entities, such as application servers, SMGR, SIP proxies, and speech servers.

Experience Portal servers include primary EPM, auxiliary EPM, and MPP. The TLS protocol requires the exchanging and validating of identity certificates to provide secure communication.

The following are the three types of security certificates in Experience Portal:

• EP signing certificate

• Identity certificates

• Trusted certificates

EP signing certificate (EP root certificate)

The EP signing certificate is the root certificate of the certificate authority for Experience Portal. This certificate is installed by default on the primary EPM.

The primary EPM server uses the EP signing certificate to act as the certificate authority (CA) for all the Experience Portal servers. The primary EPM uses the EP signing certificate to issue and sign identity certificates to all the Experience Portal servers.

The EP signing certificate is enabled only when Experience Portal servers use the default identity certificates. If Experience Portal servers use externally signed identity certificates, disable the EP signing certificate.

Identity certificates

Each Experience Portal server has its identity certificate to establish secure communication with other network entities.

Experience Portal servers can use one of the following certificates:

• Default identity certificates The identity certificates issued and signed by the EP certificate authority (signed by the EP signing certificate).

• Externally signed identity certificates The custom identity certificates signed by an external certificate authority (CA). External CAs are also known as third-party CAs and refer to commercial certificate authorities, enterprise certificate authorities, SMGRs, or any on-premise certificate authority.

Trusted certificates

The trusted certificates are certificate authority's (CA) certificates. These certificates are used to validate the identity certificates that the Experience Portal servers receive during the setup of TLS communication.

Generally, a trusted certificate is a single certificate (usually the root certificate of the CA) or a chain of certificates (the root certificate and the CA intermediate certificates).

If Experience Portal receives an identity certificate issued and signed by a trusted certificate installed on Experience Portal, the identity certificate is deemed trusted.

The different types of trusted certificates in Experience Portal determine the communication links used to validate the identity certificates. For example, application-type trusted certificates are used to validate secure communication between Experience Portal servers and external application servers.