POM uses digital certificates for internal and external communications. POM communicates with dependent components such as Experience Portal and Application server through these certificates.

The following are the requirements for a custom certificate:

• A user certificate

• The private key of the user certificate

• The Certificate Authority (CA) certificate that you used to sign the user certificate

The formats of the user certificate and CA certificate are .pem (x509), .crt, or .der. However, the certificate vendor also provides the user certificate and a private key in PKCS12 format.

The following are the two methods for using certificates in POM:

• Generating self-signed certificates using the built-in utility.

• Importing custom certificates from a trusted certificate provider.

The following table lists the locations where POM stores certificates:

Security Mode	Location			Description
Non FIPS	$POM_HOME/config	pomKeyStore		The location to store the user certificate and the private key of the user certificate. When POM serves as a client, it uses the certificate stored in this location for the intended server.
FIPS		pomKeyStore.bks		The location to store the CA certificates of all trusted CAs. When POM serves as a server, it uses the certificates stored in this location to validate the client certificate.

After creating, adding, or exchanging the certificates, you must restart Experience Portal Management System and POM services.

If the POM system contains multiple IP addresses, you must include Fully Qualified Domain Name (FQDN) of the system in the Common Name (CN) and Subject Alternate Name (SAN) attributes of the certificate. When adding the POM server from the Add POM Server page, provide the FQDN of the POM system for POM Server IP Address.