Link Search Menu Expand Document

Orchestrator HTTPS Certificate

Orchestrator > Software & Setup > Setup > HTTPS Certificate

By default, Orchestrator presents a self-signed server certificate to any client opening a TLS connection. This includes web browsers and EdgeConnect appliances. To ensure secure communications, TLS clients will cryptographically verify that a trusted Certificate Authority (CA) issued the Orchestrator certificate. For self-hosted Orchestrators, enterprises must set up an HTTPS server certificate for their Orchestrator.

Orchestrator provides two methods to set up an HTTPS server certificate. The first is new to release 9.4 where Orchestrator builds end entity certificates. This is the preferred method. With this method the user builds a Certificate Signing Request (CSR) in Orchestrator. As part of this process, Orchestrator creates the public key private key pair. The user downloads and submits the CSR for signing by a Certificate Authority (CA). The signed end entity certificate is then uploaded in Orchestrator for use in one of several applications. The end entity certificate contains a label, which is significant to Orchestrator and allows this certificate to be used by referring to its label.

NOTE: The Orchestrator HTTPS certificate cannot be added using EST.

To use an end entity certificate as Orchestrator HTTPS server certificate:

NOTE: To use an end entity certificate, you must first create an end entity certificate for use. To do this, see End Entity Certificates Tab.

  1. After the certificate is uploaded on the End Entity Certificates tab, navigate to Orchestrator > Software & Setup > Setup > HTTPS Certificate.

    The HTTPS Certificate dialog box opens.

  2. Click Use End Entity Certificate.

  3. Select the label for the certificate you uploaded from the End Entity Certificate drop-down menu.

  4. Click Save.

NOTE: After saving, you must manually restart Orchestrator for the web server to pick up the new certificate.

NOTE: To have the EdgeConnect appliance verify the Orchestrator certificate, you must click the Verify Orchestrator Certificate check box on the Advanced Security Settings dialog box. To do this, navigate to Configuration > Overlays & Security > Advanced Security Settings.

The other method (legacy method) requires everything to be done externally including creating the public key private key pair and creating the CSR. This legacy method is not recommended.

To use the legacy method with Orchestrator:

  1. Consult with your IT security team to generate a certificate signing request (CSR), and submit it to your organization’s chosen SSL Certificate Authority (CA).

    • Examples of Certificate Authorities include GoDaddy, Verisign, Comodo, Symantec, Microsoft Entrust, and GeoTrust.

    • All certificate and key files must be in PEM format.

  2. After the Certificate Authority provides a CA-verified certificate:

    • Navigate to Orchestrator > Software & Setup > Setup > HTTPS Certificate.

    • If your IT security team advises the use of an Intermediate CA, use an Intermediate Certificate File. Otherwise, skip this file.

    • Load the Certificate File from the CA.

    • Upload the Private Key File that was generated as part of the CSR.

  3. To associate the CA verified certificate for use with Orchestrator, click Upload.

NOTE: To have the EdgeConnect appliance verify the Orchestrator certificate, you must click the Verify Orchestrator Certificate check box on the Advanced Security Settings dialog box. To do this, navigate to Configuration > Overlays & Security > Advanced Security Settings.