Two levels of certificates are used for certificate authentication, the certificate on the device and the certificate for Workspace ONE Access service on port 443.

A publicly trusted certificate is set up on the load balancer.

If performing SSL re-encryption, the self-signed certificate is required on each node.

When SSL passthrough is configured, an internally-issued certificate that includes the Subject Alternative Names (SAN) for all the hosts in the cluster is required on each node. The SAN with the host names allows all the nodes in the cluster to make requests to each other.