By default, your system includes a self-signed certificate when the system is first installed.
You cannot delete the currently installed certificate. However, you can replace it by:
- Installing a new PKCS12 certificate.
- Generating and installing a new self-signed certificate.
- Generating a certificate signing request (CSR) and installing the certificate you receive in response to this request.
System certificate considerations
Keep the following in mind when configuring SSL certificates for your system, especially if you are configuring the system to use one or more certificates that you create yourself:
- Do not allow any of the SSL certificates to expire.
- Adhere to the established best practices for setting up SSL certificates. For example, if you are using wildcards to identify hostnames in an SSL certificate, a wildcard should appear only at the beginning of the hostname, not in the middle.
- Ensure that the DNS name for the system matches the name defined in the certificate.
- When configuring a certificate chain, ensure that all intermediate issuers have the appropriate signing authority permissions so that the entire chain is signed.
Installing a certificate you created
You can create an SSL server certificate by using a third-party tool such as OpenSSL. When creating the certificate, you specify two passwords: one for the PKCS12 object containing the certificate and one for the private key for the certificate. To use the certificate with your system, these passwords must be the same.
When you create your own SSL server certificate, you can choose to have that certificate signed by a CA. In this case, the CA you use may provide you with one or more intermediate certificates. These certificates are used in conjunction with the SSL server certificate you created to establish a certificate chain, which is an ordered list of certificates in which each certificate is trusted by the next.
To preserve the chain of trust among the certificates, you need to upload the certificates in the correct order, meaning that each certificate must be immediately followed by the certificate that signs it. For information on the correct order for the certificate chain, refer to your CA.