The Controller must send a certificate to clients to establish secure communication. This certificate must have a Subject Alternative Name (SAN) that matches the Controller cluster hostname or IP address.

The Controller has a default self-signed certificate. But this certificate does not have the correct SAN. You must replace it with a valid or self-signed certificate that has the correct SAN. You create a self-signed certificate or upload an external certificate.

For more information about certificates, see the Avi documentation.


  1. In the Controller dashboard, select Templates > Security.
  2. Select SSL/TLS Certificate.
  3. To create a certificate, click Create and select Controller Certificate.
    The New Certificate (SSL/TLS) window appears.
  4. Enter a name for the certificate.
  5. If you do not have a pre-created valid certificate, add a self-signed certificate by selecting Type as Self Signed.
    1. Enter the following details:
      Option Description
      Common Name

      Specify the fully-qualified name of the site. For the site to be considered trusted, this entry must match the hostname that the client entered in the browser.

      Subject Alternate Name (SAN) Enter the cluster IP address or FQDN, or both, of the Avi Controller if it is deployed as a single node.

      If only the IP address or FQDN is used, it must match the IP address of the Controller VM that you specify during deployment. See Deploy the Controller.

      Enter the cluster IP or FQDN of the Avi Controller cluster if it is deployed as a cluster of three nodes. For information about deploying a cluster of three controller nodes, see Deploy a Controller Cluster.

      Algorithm Select either EC (elliptic curve cryptography) or RSA. EC is recommended.
      Key Size Select the level of encryption to be used for handshakes:
      • SECP256R1 is used for EC certificates.
      • 2048-bit is recommended for RSA certificates.
    2. Click SAVE.
    You need this certificate when you configure the Supervisor Cluster to enable the Workload Management functionality.
  6. Download the self-signed certificate that you create.
    1. Select Security > SSL/TLS Certificates.
      If you do not see the certificate, refresh the page.
    2. Select the certificate you created and click the download icon.
    3. In the Export Certificate page that appears, click Copy to clipboard against the certificate. Do not copy the key.
    4. Save the copied certificate for later use when you enable workload management.
  7. If you have a pre-created valid certificate, upload it by selecting Type as Import.
    1. In Certificate, click Upload File and import the certificate.
      The SAN field of the certificate you upload must have the cluster IP address or FQDN of the Controller.
      Note: Make sure that you upload or paste the contents of the certificate only once.
    2. In Key (PEM) or PKCS12, click Upload File and import the key.
    3. Click Validate to validate the certificate and key.
    4. Click SAVE.
  8. To change the portal certificate, perform the following steps.
    1. In the Controller dashboard, select Administration > Settings.
    2. Click Edit.
    3. Select the Access tab.
    4. From SSL/TLS Certificate, remove the existing default portal certificates.
    5. In the drop-down, select the newly created or uploaded certificate.
    6. Select Basic Authentication.
    7. Click SAVE.