Custom CA Certificate Trust Store
Configuration > Overlays & Security > Security > Custom CA Certificate Trust Store
EdgeConnect appliances are pre-loaded with the Mozilla root store, which contains the root certificates of public CAs. The appliance uses this root store for cryptographic verification when opening TLS connections to Orchestrator and Cloud Portal. If you choose to build your own certificate trust store, you must enable the Custom CA Certificate Trust Store and upload the certificates here.
NOTICE: If you are using Orchestrator SP or Orchestrator aaS, you should never use the Custom CA Certificate Trust Store. It should only be used with a self-hosted Orchestrator (on-prem or cloud) that requires a custom certificate.
This feature is commonly used if you have deployed a web proxy between EdgeConnect and Orchestrator or Cloud Portal, or if you do not wish to purchase a certificate from a public CA. This feature can also be used if you choose to use a server certificate signed by a private CA.
If you want your Orchestrator and appliances to establish connectivity with any of the following services, you must add the certificates for these services to the Custom CA Certificate Trust Store:
-
Aruba Cloud Portal
-
Google APIs
-
Remote authentication, such as OAuth, JWT, or SAML
-
Remote log receiver
-
Netskope
-
Zscaler
-
Azure
-
Aruba ClearPass Policy Manager
Follow these steps to add a certificate to the custom certificate trust store:
-
Click Add Certificate to Custom Trust Store.
The Add/Edit Custom Certificates dialog box opens.
-
Enter an Alias for the certificate in the Alias field.
-
Paste the root certificate into the Certificate field.
-
Click Save.
After uploading the root certificate, follow these steps to enable the custom certificate trust store:
-
Click Test Connectivity to Portal to validate that appliances can successfully connect to Orchestrator and Cloud Portal using the custom CA.
-
Click the Use Custom Certificate Trust Store check box.
-
Click Apply Changes.
To have the EdgeConnect appliance verify the Orchestrator certificate, you must click the Verify Orchestrator Certificate check box on the Advanced Security Settings dialog box. To do this, navigate to Configuration > Overlays & Security > Advanced Security Settings.