Link Search Menu Expand Document

Custom CA Certificate Trust Store

Configuration > Overlays & Security > Security > Custom CA Certificate Trust Store

Release 9.4 introduces Common Criteria (CC) mode for both Orchestrator and EdgeConnect appliances. By default, CC mode is disabled, which means that Orchestrator and EdgeConnect do not validate HTTPS server certificates except for communications between Cloud Portal, Orchestrator, and EdgeConnect, which are controlled by Orchestrator Advanced Security Settings.

Orchestrator ships with a default trust store with well-known, globally trusted root CA certificates. The required Certificate Authority (CA) certificates required to establish trust to Cloud Portal are in Orchestrator’s default trust store. Orchestrator also has a Custom CA Certificate Trust Store. Customers deploying self-hosted Orchestrators must add CA Certificates to the Custom Trust Store. Orchestrator and EdgeConnect use one or the other—either the default or the Custom CA Certificate Trust Store.

In release 9.4, when operating in Common Criteria mode, all HTTPS connections require validation of server certificates for both Orchestrator and EdgeConnect appliances. Any EdgeConnect end entity certificate to be validated must have its root CA and intermediate CAs in the Custom CA Certificate Trust Store.

You must add the default root CA certificates from the default trust store to the Custom CA Certificate Trust Store (one-time action). This is primarily required to ensure that the root CA certificate for HPE Aruba Networking Cloud Portal is in the Custom CA Certificate Trust Store. Other unneeded default root CA certificates can be removed if desired. Enterprises deploying self-hosted Orchestrators must install their end entity certificate (HTTPS server certificate) in the Orchestrator instance. If it’s not already in the collection of default root CA certificates from the default trust store, enterprises must add the root CA certificate associated with the issuer to the Custom CA Certificate Trust Store. In summary, enterprises must add to the Orchestrator Custom CA Certificate Trust store the appropriate CA certificates used to sign the end-entity certificate of the target server.

NOTICE: If you are using Orchestrator as a Service (OaaS), ensure that you have copied the root CA certificates from the default trust store to the Custom CA Certificate Trust Store, and verified communications from the appliances to both Orchestrator and Cloud Portal before you enable the Custom CA Certificate Trust Store.

If you want your Orchestrator and appliances to establish connectivity with any of the following services, you must add the certificates for these services to the Custom CA Certificate Trust Store:

  • Remote authentication servers, such as OAuth, JWT, or SAML

  • Remote log receivers

  • Netskope

  • Zscaler

  • Azure

  • HPE Aruba Networking ClearPass Policy Manager

Follow these steps to add well-known, globally trusted certificates from the default trust store to the Custom CA Certificate Trust Store:

  1. Click Add Default Certificates.

    The custom trust store is populated with multiple default certificates.

  2. Click Apply Changes.

Follow these steps to enable the custom certificate trust store:

NOTICE: You must either add the root CA certificates from the default trust store or upload at least one certificate before you can enable the custom trust store.

  1. Click Test Connectivity to Portal to validate that appliances can successfully connect to Orchestrator and Cloud Portal using the custom CA.

  2. Click the Use Custom Certificate Trust Store check box.

  3. Click Apply Changes.

Follow these steps to add a CA certificate to the custom certificate trust store:

  1. Click Add Certificate to Custom Trust Store.

    The Add/Edit Custom Certificates dialog box opens.

  2. Enter a meaningful Alias for the certificate in the Alias field. For example, for an Orchestrator web server certificate use “Orchestrator_HTTPS” or for a Syslog server use “Syslog_HTTPS”.

  3. Paste the root certificate into the Certificate field.

  4. Click Save.

NOTICE: After adding root CA certificates to the Custom Trust Store, Orchestrator must be restarted.


Back to top

© Copyright 2025 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America