When the Workspace ONE Access appliance is installed on premises, a default SSL server certificate is automatically generated. You can use this self-signed certificate for general testing of your implementation.
A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users no longer receive messages asking them to verify the certificate. Workspace ONE Access supports using PEM formatted certificates that include the private key.
You install a signed CA certificate for an appliance from the Workspace ONE Access console Monitor > Resiliency page. Select the appliance and click VA Configuration to log in as admin to the appliance configuration pages. Select Install SSL Certificates.
If you deploy Workspace ONE Access with the self-signed SSL certificate, the root CA certificate must be available as a trusted CA for any client who accesses the Workspace ONE Access service. The clients can include end-user machines, load balancers, proxies, and so on. You can download the root CA from the page.