The SSL protocol is used to secure communication over the Internet between the management station and the device. For secure communication, a valid SSL certificate from a certificate authority must be imported into the device.
To learn more about certificates, refer to the certificate authority and ITU-T Recommendation X.509.
SSL Certificate Installation
You must install the SSL certificate in any browser that you will use to connect to a device.
Important: SSL Self-Signed Certificate Detection
When performing vulnerability scans with tools such as Nessus, you may encounter a finding titled "SSL Self-Signed Certificate" or "SSL Certificate Cannot Be Trusted" . This detection is expected behavior.
You can replace this default self-signed certificate with a certificate from a trusted CA during installation or on demand.
Generating Certificates
Synchronize System Date and Time
Ensure the system date and time are synchronized before generating or renewing a local custom certificate. We recommend using PTP or NTP for accurate time synchronization, as maintaining consistent system time across systems is crucial for reliable certificate expiry verification.
For more information, see Setting the System Date and Time.
High CPU Resource Consumption
Generate local certificates during maintenance periods, as filling the entropy source for key-pair generation temporarily requires all available CPU resources.
The local default certificate is automatically generated during the initial boot and following a factory reset. You can generate and activate a local custom self-signed certificate.
This procedure requires management permission.
To generate a local custom certificate:
- Open the Management Web Interface.
- Navigate to System â–¶ Maintenance â–¶ Certificates.
- In Certificate generation, complete the required fields.
For more information, see Certificate Generation Parameters. - Click Generate.
Exporting Certificates
Export the local default or custom certificate to a remote server using scp, ftps, https, or sftp.
This procedure requires management permission.
To export a certificate:
- Open the Management Web Interface.
- Navigate to System â–¶ Maintenance â–¶ Certificates.
- In Certificate export, complete the required fields.
For more information, see Certificate Export Parameters. - Click Download.
The exported certificate file will be named as follows:CommonName
.extension
, whereextension
corresponds to the exported format:pem
: for X509-PEM formatder
: for X509-DER formatp7b
: for pkcs7 format
Viewing Certificates
View a list of SSL certificates present in the device and display their content.
To view SSL certificates:
- Open the Management Web Interface.
- Navigate to System â–¶ Maintenance â–¶ Certificates.
- In Certificate management, the list of available certificates are displayed.
- Click View for a certificate to display its contents.
For more information, see Certificate Management Parameters.
Deleting Certificates
Remove SSL certificates from the device.
To delete a certificate:
- Open the Management Web Interface.
- Navigate to System â–¶ Maintenance â–¶ Certificates.
- In Certificate management, click Delete for the certificate that you want to delete.
For more information, see Certificate Management Parameters.
Renewing Certificates
Ensure the system date and time are synchronized before generating or renewing a local custom certificate. We recommend using PTP or NTP for accurate time synchronization, as maintaining consistent system time across systems is crucial for reliable certificate expiry verification.
For more information, see Setting the System Date and Time.
Generate and activate a new local default or custom certificate. The new certificate retains the properties of the current local certificate. A new key pair will be generated for use in the new certificate.
This procedure requires management permission.
To renew a certificate:
- Open the Management Web Interface.
- Navigate to System â–¶ Maintenance â–¶ Certificates.
- In Certificate management, click Renew for the certificate that you want to renew.
Note: The Renew button is available only for local certificates that are eligible for renewal.
For more information, see: Certificate Management Parameters
Importing Certificates
Download and activate an SSL certificate from a remote server.
To import a certificate:
- Open the Management Web Interface.
- Navigate to System â–¶ Maintenance â–¶ Certificates.
- In Certificate import, click Browse, then locate and select the certificate to import.
- Complete the required fields.
For more information, see Certificate Import Parameters. - Click Upload.
The certificate will be installed on the device and will appear in the Certificate management section.
Assigning Certificates
Configure the device for secure communication with specific applications, such as an FTP server, in the Application management section, which manages the validation of certificate use.
To assign a certificate:
- Open the Management Web Interface.
- Navigate to System â–¶ Maintenance â–¶ Certificates.
- In Application management, select the certificate from the Common name drop-down list.
- Complete the required fields.
Recommended: For File transfers, enable Validate CA to conduct peer certificate validation.
For more information, see Application Management Parameters. - Click Submit.
If you submitted a certificate for Web management, you must restart the WebServer to activate the new certificate. A warning message may not display, so it's important to remember to perform this step.
If submitted via the Management Web Interface, click Restart. If submitted via CLI, disable and then re-enable the WebServer by using the commands system edit os-service http-server http-service disable
and then system edit os-service http-server http-service enable
. Alternatively, you may reboot the device.
Certificate Generation Parameters
Parameter | Description |
---|---|
Country-name | (Required) Two-letter country code where the organization is located, for example: US, CA |
State | State or province where the organization is located. |
Locality | City or locality where the organization is located. |
Organization | Name of the organization to which the certificate is issued. |
Organization unit | Division or department within the organization. |
Common name | (Required)Typically represents the domain name for which the certificate is issued. Must be a Fully Qualified Domain Name (FQDN). |
Subject alternative name | (Required) Allows the user to specify additional identities for the certificate, beyond the common name (CN). Must be a list of DNS names, comma separated. |
Certificate Export Parameters
Parameter | Description |
---|---|
Type | (Required) Certificate format: pkcs7, PEM, and DER. |
Common name | (Required)Typically represents the domain name for which the certificate is issued. Must be a Fully Qualified Domain Name (FQDN). |
Certificate Management Parameters
Certificate Management (System â–¶ Maintenance â–¶ Certificates)
Parameter | Description |
---|---|
Common name | For a Certificate Authority (CA): This is the name of the organization that issued the certificate. For a server: This is the Fully Qualified Domain Name (FQDN) of the service (i.e., the WebServer) using the certificate. For a client: This may be the name of the application. |
Valid until | The date when the certificate expires. It may still be valid if the peer has disabled checking. |
Function | Describes how the certificate can be used in the device.
|
Application Management Parameters
Application Management (System â–¶ Maintenance â–¶ Certificates)
Parameter | Description |
---|---|
Application | Possible values are:
|
Common name | For a Certificate Authority (CA): This is the name of the organization that issued the certificate. For a server: This is the Fully Qualified Domain Name (FQDN) of the service (i.e., the WebServer) using the certificate. For a client: This may be the name of the application. |
Validate CA | For client applications, enable or disable peer certificate validation, which involves these validation points:
Note: Enabling this option is recommended. |
Enable Client | For client applications, enable or disable the use of the selected client certificate. |
Certificate Import Parameters
Certificate Import (System â–¶ Maintenance â–¶ Certificates)
Parameter | Description |
---|---|
Type | The following certificate file types are supported:
|
Passcode | Applies to pkcs12 or PEM-encoded private keys, which use a passcode. The passcode is only used once for importing. |
Import certificate | The name of the selected certificate appears here before you upload it. |
Guidelines for Web Management Certificate Usage
Refer to the following sections for the recommended steps when using certificates for Web management.
Using the Local Default Certificate for Web Management
If you prefer to use the local default certificate for Web management, follow these recommended steps.
This procedure covers the use of a local default certificate for new devices and does not apply to firmware upgrades.
To use the local default certificate for Web management:
- Boot up the device for the first time.
A local default certificate is automatically generated and used for Web management. - Establish an unsafe HTTPS connection to the device.
The certificate is not recognized by the browser. - Synchronize the system date and time.
- Export the local default certificate and import it into your web browser's trust store.
- Initiate a secure HTTPS connection to the device's WebServer.
A synchronized date and time (as established in step 3) on the server is required to accept and validate the server certificate.
Using a Local Custom Certificate for Web Management
If you prefer to use a local custom certificate for Web management, follow these recommended steps.
This procedure covers the use of a local custom certificate for new devices and does not apply to firmware upgrades.
To use a local custom certificate for Web management:
- Boot up the device.
A local default certificate is automatically generated and used for Web management. - Establish an unsafe HTTPS connection to the device.
The certificate is not recognized by the browser. - Synchronize the system date and time.
- Generate a local custom certificate.
- Use this local custom certificate for Web management.
- Export the local custom certificate and import it into your web browser's trust store.
- Initiate a secure HTTPS connection to the device's WebServer.
A synchronized date and time (as established in step 3) on the server is required to accept and validate the server certificate.
Using an Imported Certificate for Web Management
If you prefer to use an imported certificate for Web management, follow these recommended steps.
This procedure covers the management of numerous deployed devices by enabling secure HTTPS connections through user-generated certificate imports for web management.
To use an imported certificate for Web management:
- Boot up the device.
A local default certificate is automatically generated and used for Web management. - Establish an unsafe HTTPS connection to the device.
The certificate is not recognized by the browser. - Synchronize the system date and time.
- Import the user certificate.
This certificate must be a leaf certificate, signed by a private or public CA, and recognizable within the deployed environment. - Use this imported certificate for Web management.
- Initiate a secure HTTPS connection to the device using the web browser that has the signing CA (used to generate device leaf certificate) in the trusted root store.
© 2025 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks