Forum Discussion
Dec 07, 2015
Hi,
the default cert has a common name of localhost.localdomain and as eneR already pointed out it is best practice to replace it by a cert issued for the device specific hostname. The cert can be self signed or signed by a certificate authority. If you let it sign by a CA make sure they leave the certificate purpose as it is (both client and server cert). In case you have (an) intermediate CA(s) involved and your clients trust the root only it would be required to import the intermediate CA or chain as well. This has to be done on CLI after copying your chain to /config/httpd/conf/ssl.crt/intermediate_ca.crt:chmod 0644 /config/httpd/conf/ssl.crt/intermediate_ca.crt
tmsh modify / sys httpd ssl-certchainfile /etc/httpd/conf/ssl.crt/intermediate_ca.crt
bigstart restart httpd
Certs are generally stored in PEM format. Be very careful if you plan to deploy GTM or LinkController. The syncgroup trust is based on the device certs and the purpose attributes (client/server) and chain of trust are mandatory.
Thanks, Stephan