Managing SSL Certificates (Assurance Sensors)

Updated
  • Updated on Aug 8, 2025
  • 9 minute(s) read
  • AH
  • AC
 Prev Next

The SSL protocol is used to secure communication over the Internet between the management station and the device. For secure communication, a valid SSL certificate from a certificate authority must be imported into the device.

To learn more about certificates, refer to the certificate authority and ITU-T Recommendation X.509.

SSL Certificate Installation
You must install the SSL certificate in any browser that you will use to connect to a device.

Important: SSL Self-Signed Certificate Detection
When performing vulnerability scans with tools such as Nessus, you may encounter a finding titled "SSL Self-Signed Certificate" or "SSL Certificate Cannot Be Trusted" . This detection is expected behavior.

You can replace this default self-signed certificate with a certificate from a trusted CA during installation or on demand.

Generating Certificates

Synchronize System Date and Time

Ensure the system date and time are synchronized before generating or renewing a local custom certificate. We recommend using PTP or NTP for accurate time synchronization, as maintaining consistent system time across systems is crucial for reliable certificate expiry verification.

For more information, see Setting the System Date and Time.

High CPU Resource Consumption

Generate local certificates during maintenance periods, as filling the entropy source for key-pair generation temporarily requires all available CPU resources.

A default self-signed certificate (or default certificate) is automatically created by the firmware during the boot phase for the first boot and after a factory reset, using default values for its attributes. You can import the the default certificate into your trusted store to establish a secure HTTPS connection.

You can manually generate a custom self-signed certificate (or custom certificate) during run-time if needed. It allows you to tailor the certificate's properties to match your deployment environment. This customization includes configuring the fully-qualified domain name (FQDN) in the Common Name (CN) and the Subject Alternative Name (SAN) fields among other options.

This procedure requires management permission.

To generate a local custom certificate:

  1. Open the Management Web Interface.
  2. Navigate to System â–¶ Maintenance â–¶ Certificates.
  3. In Certificate generation, complete the required fields.
    For more information, see Certificate Generation Parameters.
  4. Click Generate.

Exporting Certificates

Export the local default or custom certificate to a remote server using scp, ftps, https, or sftp.

This procedure requires management permission.

To export a certificate:

  1. Open the Management Web Interface.
  2. Navigate to System â–¶ Maintenance â–¶ Certificates.
  3. In Certificate export, complete the required fields.
    For more information, see Certificate Export Parameters.
  4. Click Download.
    The exported certificate file will be named as follows: CommonName.extension, where extension corresponds to the exported format:
    • pem: for X509-PEM format
    • der: for X509-DER format
    • p7b: for pkcs7 format

Viewing Certificates

View a list of SSL certificates present in the device and display their content.

To view SSL certificates:

  1. Open the Management Web Interface.
  2. Navigate to System â–¶ Maintenance â–¶ Certificates.
  3. In Certificate management, the list of available certificates are displayed.
  4. Click View for a certificate to display its contents.

For more information, see Certificate Management Parameters.

Deleting Certificates

Remove SSL certificates from the device.

To delete a certificate:

  1. Open the Management Web Interface.
  2. Navigate to System â–¶ Maintenance â–¶ Certificates.
  3. In Certificate management, click Delete for the certificate that you want to delete.

For more information, see Certificate Management Parameters.

Renewing Certificates

Synchronize System Date and Time

Ensure the system date and time are synchronized before generating or renewing a local custom certificate. We recommend using PTP or NTP for accurate time synchronization, as maintaining consistent system time across systems is crucial for reliable certificate expiry verification.

For more information, see Setting the System Date and Time.

Generate and activate a new local default or custom certificate. The new certificate retains the properties of the current local certificate. A new key pair will be generated for use in the new certificate.

This procedure requires management permission.

To renew a certificate:

  1. Open the Management Web Interface.
  2. Navigate to System â–¶ Maintenance â–¶ Certificates.
  3. In Certificate management, click Renew for the certificate that you want to renew.

Note: The Renew button is available only for local certificates that are eligible for renewal.

For more information, see: Certificate Management Parameters

Importing Certificates

Download and activate an SSL certificate from a remote server.

To import a certificate:

  1. Open the Management Web Interface.
  2. Navigate to System â–¶ Maintenance â–¶ Certificates.
  3. In Certificate import, click Browse, then locate and select the certificate to import.
  4. Complete the required fields.
    For more information, see Certificate Import Parameters.
  5. Click Upload.
    The certificate will be installed on the device and will appear in the Certificate management section.

Assigning Certificates

Configure the device for secure communication with specific applications, such as an FTP server, in the Application management section, which manages the validation of certificate use.

To assign a certificate:

  1. Open the Management Web Interface.
  2. Navigate to System â–¶ Maintenance â–¶ Certificates.
  3. In Application management, select the certificate from the Common name drop-down list.
  4. Complete the required fields.
    Recommended: For File transfers, enable Validate CA to conduct peer certificate validation.
    For more information, see Application Management Parameters.
  5. Click Submit.
Restart the WebServer

If you submitted a certificate for Web management, you must restart the WebServer to activate the new certificate. A warning message may not display, so it's important to remember to perform this step.

If submitted via the Management Web Interface, click Restart. If submitted via CLI, disable and then re-enable the WebServer by using the commands system edit os-service http-server http-service disable and then system edit os-service http-server http-service enable. Alternatively, you may reboot the device.

Certificate Generation Parameters

image.png

Parameter Description
Country-name (Required) Two-letter country code where the organization is located, for example: US, CA
State State or province where the organization is located.
Locality City or locality where the organization is located.
Organization Name of the organization to which the certificate is issued.
Organization unit Division or department within the organization.
Common name (Required)Typically represents the domain name for which the certificate is issued. Must be a Fully Qualified Domain Name (FQDN).
Subject alternative name (Required) Allows the user to specify additional identities for the certificate, beyond the common name (CN). Must be a list of DNS names, comma separated.

Certificate Export Parameters

image.png

Parameter Description
Type (Required) Certificate format: pkcs7, PEM, and DER.
Common name (Required) The name of the local default or custom certificate to export. This name is the certificate's actual common name.

Certificate Management Parameters

image.png

Certificate Management (System â–¶ Maintenance â–¶ Certificates)

Parameter Description
Common name For a Certificate Authority (CA): This is the name of the organization that issued the certificate.

For a server: This is the Fully Qualified Domain Name (FQDN) of the service (i.e., the WebServer) using the certificate.

For a client: This may be the name of the application.
Valid until The date when the certificate expires. It may still be valid if the peer has disabled checking.
Function Describes how the certificate can be used in the device.

  • CA: Used to validate peer certificates; provided as part of the certificate chain for server applications.
  • Client/Server: These certificates were imported with a private key. A CA certificate imported with a private key may also be used for this function, but in that case, it does not show up as a CA.

Application Management Parameters

image.png

Application Management (System â–¶ Maintenance â–¶ Certificates)

Parameter Description
Application Possible values are:

  • Web management: This is the device web interface.
  • File transfers: All applications that send or receive files through a secure channel (HTTPS or FTPS), such as firmware upgrades and configuration import/export using the CLI.
Common name For a Certificate Authority (CA): This is the name of the organization that issued the certificate.

For a server: This is the Fully Qualified Domain Name (FQDN) of the service (i.e., the WebServer) using the certificate.

For a client: This may be the name of the application.
Validate CA

For client applications, enable or disable peer certificate validation.

Peer certificate validation includes checking the certificate revocation status via OCSP and CRL (OCSP-Stapling for certificate revocation status checking is also supported), verifying cryptographic elements such as signature algorithms and X.509 extensions, validating the certificate’s validity period and hostname, and ensuring trustworthiness against the trusted CA store.

Note: Enabling this option is recommended to ensure secure TLS connections.
Enable Client For client applications, enable or disable the use of the selected client certificate.

Certificate Import Parameters

image.png

Certificate Import (System â–¶ Maintenance â–¶ Certificates)

Parameter Description
Type The following certificate file types are supported:

  • pkcs12: For importing client certificates, including the private key and the CA chain of certificates.
  • pkcs7: For importing multiple CA certificates.
  • x509-PEM: For importing either:
    • A client or server certificate and its private key.
    • A single or multiple CA certificate.
  • x509-DER: For importing single CA certificates.

Note: Importing a private key separately from its certificate is not supported.
Passcode Applies to pkcs12 or PEM-encoded private keys, which use a passcode. The passcode is only used once for importing.
Import certificate The name of the selected certificate appears here before you upload it.

Guidelines for Web Management Certificate Usage

Refer to the following sections for the recommended steps when using certificates for Web management.

Using the Local Default Certificate for Web Management

If you prefer to use the local default certificate for Web management, follow these recommended steps.

This procedure covers the use of a local default certificate for new devices and does not apply to firmware upgrades.

To use the local default certificate for Web management:

  1. Boot up the device for the first time.
    A local default certificate is automatically generated and used for Web management.
  2. Establish an unsafe HTTPS connection to the device.
    The certificate is not recognized by the browser.
  3. Synchronize the system date and time.
  4. Export the local default certificate and import it into your web browser's trust store.
  5. Initiate a secure HTTPS connection to the device's WebServer.
    A synchronized date and time (as established in step 3) on the server is required to accept and validate the server certificate.

Using a Local Custom Certificate for Web Management

If you prefer to use a local custom certificate for Web management, follow these recommended steps.

This procedure covers the use of a local custom certificate for new devices and does not apply to firmware upgrades.

To use a local custom certificate for Web management:

  1. Boot up the device.
    A local default certificate is automatically generated and used for Web management.
  2. Establish an unsafe HTTPS connection to the device.
    The certificate is not recognized by the browser.
  3. Synchronize the system date and time.
  4. Generate a local custom certificate.
  5. Use this local custom certificate for Web management.
  6. Export the local custom certificate and import it into your web browser's trust store.
  7. Initiate a secure HTTPS connection to the device's WebServer.
    A synchronized date and time (as established in step 3) on the server is required to accept and validate the server certificate.

Using an Imported Certificate for Web Management

If you prefer to use an imported certificate for Web management, follow these recommended steps.

This procedure covers the management of numerous deployed devices by enabling secure HTTPS connections through user-generated certificate imports for web management.

To use an imported certificate for Web management:

  1. Boot up the device.
    A local default certificate is automatically generated and used for Web management.
  2. Establish an unsafe HTTPS connection to the device.
    The certificate is not recognized by the browser.
  3. Synchronize the system date and time.
  4. Import the user certificate.
    This certificate must be a leaf certificate, signed by a private or public CA, and recognizable within the deployed environment.
  5. Use this imported certificate for Web management.
  6. Initiate a secure HTTPS connection to the device using the web browser that has the signing CA (used to generate device leaf certificate) in the trusted root store.

© 2025 Cisco and/or its affiliates. All rights reserved.
 
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks