The Transport Layer Security (TLS) protocol is commonly used to encrypt information sent across the Internet. Secure server certificates allow web servers to establish TLS sessions with browsers.

You can either import a valid CA signed certificate or generate a new certificate. Generated certificates are intended for use only in test environments.

The following certificate types are available for configuration in the Certificate Management page:

• Client/Server certificates -- These are TLS server certificates that are required for configuration and validation of the Management Console, Reverse Proxy, DPaaS settings, email gateway, and application-specific web services.
• Signing CA certificates -- Signing CA certificates are essential in configuring forward proxy settings. Each entry represents a certificate and private key, along with a certificate chain required when validating the signature on the certificate. Signing CA certificates are valid for one year.
• Trusted CAS -- Trusted CA certificates are those for which the Add to Trusted CAs checkbox is selected during certificate import or generation are displayed in this tab. Additionally, CA certificates can be imported. These certificates are added to the truststore for all node services. If the Use Default Java Truststore Certificates flag is checked, these are used in addition to those in the truststore included in the java installation on the node’s host; otherwise, they are used instead of the java truststore.
• Intermediary CAS -- These certificates are part of a chain that is presented by a web site and secured by TLS. The entries here are used along with those in Trusted CAs in cases where a server does not present a complete certificate chain during the TLS connection handshake.
• Identity certificates -- These certificates are needed for Single Sign-On (SSO). An identity certificate validates the assertion from the identity provider (IDP) and must be provided when SSO rewriting is done.