This section describes how to install an SSL certificate.

To install an SSL certificate:

1. Login into the SASE Orchestrator CLI console through SSH. If you configured the SASE Orchestrator as described here, you should be able to log into the virtual machine with the user name vcadmin and password that you defined when you created the cloud-init ISO.
2. Generate the SASE Orchestrator private key.
   Note: Do not encrypt the key. It must remain unencrypted on the SASE Orchestrator system.

   openssl genrsa -out server.key 2048

3. Generate a certificate request. Customize -subj according to your organization information.

   openssl req -new -key server.key -out
   server.csr -subj "/C=US/ST=California/L=Mountain View/O=Velocloud Networks
   Inc./OU=Development/CN=vco.velocloud.net"

   Description of Subject fields:

   Field	Description
   C	country
   ST	state
   L	locality (city)
   O	company
   OU	department (optional)
   CN	SASE Orchestrator fully qualified domain name

4. Send server.csr to a Certificate Authority for signing. You should get back the SSL certificate (server.crt). Ensure that it is in the PEM format.
5. Install the certificate (which requires root access). SASE Orchestrator SSL certificates are located in /etc/nginx/velocloud/ssl/.

   cp server.key server.crt /etc/nginx/velocloud/ssl/
   chmod 600 /etc/nginx/velocloud/ssl/server.key

6. Restart nginx.

   systemctl restart nginx