Custom CA Certificate Trust Store
Configuration > Overlays & Security > Security > Custom CA Certificate Trust Store
Release 9.4 introduces Common Criteria (CC) mode for both Orchestrator and EdgeConnect appliances. By default, CC mode is disabled, which means that Orchestrator and EdgeConnect do not validate HTTPS server certificates except for communications between Cloud Portal, Orchestrator, and EdgeConnect, which are controlled by Orchestrator Advanced Security Settings.
Orchestrator ships with a default trust store with well-known, globally trusted root CA certificates. The required Certificate Authority (CA) certificates required to establish trust to Cloud Portal are in Orchestrator’s default trust store. Orchestrator also has a Custom CA Certificate Trust Store. Customers deploying self-hosted Orchestrators must add CA Certificates to the Custom Trust Store. Orchestrator and EdgeConnect use one or the other—either the default or the Custom CA Certificate Trust Store.
In release 9.4, when operating in Common Criteria mode, all HTTPS connections require validation of server certificates for both Orchestrator and EdgeConnect appliances. Any EdgeConnect end entity certificate to be validated must have its root CA and intermediate CAs in the Custom CA Certificate Trust Store.
You must add the default root CA certificates from the default trust store to the Custom CA Certificate Trust Store (one-time action). This is primarily required to ensure that the root CA certificate for HPE Aruba Networking Cloud Portal is in the Custom CA Certificate Trust Store. Other unneeded default root CA certificates can be removed if desired. Enterprises deploying self-hosted Orchestrators must install their end entity certificate (HTTPS server certificate) in the Orchestrator instance. If it’s not already in the collection of default root CA certificates from the default trust store, enterprises must add the root CA certificate associated with the issuer to the Custom CA Certificate Trust Store. In summary, enterprises must add to the Orchestrator Custom CA Certificate Trust store the appropriate CA certificates used to sign the end-entity certificate of the target server.
NOTICE: If you are using Orchestrator as a Service (OaaS), ensure that you have copied the root CA certificates from the default trust store to the Custom CA Certificate Trust Store, and verified communications from the appliances to both Orchestrator and Cloud Portal before you enable the Custom CA Certificate Trust Store.
If you want your Orchestrator and appliances to establish connectivity with any of the following services, you must add the certificates for these services to the Custom CA Certificate Trust Store:
-
Remote authentication servers, such as OAuth, JWT, or SAML
-
Remote log receivers
-
Netskope
-
Zscaler
-
Azure
-
HPE Aruba Networking ClearPass Policy Manager
Follow these steps to add well-known, globally trusted certificates from the default trust store to the Custom CA Certificate Trust Store:
-
Click Add Default Certificates.
The custom trust store is populated with multiple default certificates.
-
Click Apply Changes.
Follow these steps to enable the custom certificate trust store:
NOTICE: You must either add the root CA certificates from the default trust store or upload at least one certificate before you can enable the custom trust store.
-
Click Test Connectivity to Portal to validate that appliances can successfully connect to Orchestrator and Cloud Portal using the custom CA.
-
Click the Use Custom Certificate Trust Store check box.
-
Click Apply Changes.
Follow these steps to add a CA certificate to the custom certificate trust store:
-
Click Add Certificate to Custom Trust Store.
The Add/Edit Custom Certificates dialog box opens.
-
Enter a meaningful Alias for the certificate in the Alias field. For example, for an Orchestrator web server certificate use “Orchestrator_HTTPS” or for a Syslog server use “Syslog_HTTPS”.
-
Paste the root certificate into the Certificate field.
-
Click Save.
NOTICE: After adding root CA certificates to the Custom Trust Store, Orchestrator must be restarted.