The Controller must send a certificate to clients to establish secure communication. This certificate must have a Subject Alternative Name (SAN) that matches the Avi Controller cluster hostname or IP address.

The Controller has a default self-signed certificate. But this certificate does not have the correct SAN. You must replace it with a valid or self-signed certificate that has the correct SAN. You create a self-signed certificate or upload an external certificate.

For more information about certificates, see the Avi documentation.


  1. In the Avi Controller dashboard, click the menu in the upper-left hand corner and select Templates > Security.
  2. Select SSL/TLS Certificate.
  3. To create a certificate, click Create and select Controller Certificate.
    The New Certificate (SSL/TLS) window appears.
  4. Enter a name for the certificate.
  5. To add a self-signed certificate, select Type as Self Signed.
    1. Enter the following details:
      Option Description
      Common Name

      Specify the fully-qualified name of the site. For the site to be considered trusted, this entry must match the hostname that the client entered in the browser.

      Subject Alternate Name (SAN) Enter the cluster IP address or FQDN of the Controller cluster.
      Algorithm Select either EC (elliptic curve cryptography) or RSA. EC is recommended.
      Key Size Select the level of encryption to be used for handshakes:
      • SECP256R1 is used for EC certificates.
      • 2048-bit is recommended for RSA certificates.
    2. Click Save.
    You need this certificate when you configure the Supervisor Cluster to enable the Workload Management functionality. .
  6. Download the self-signed certificate that you create.
    1. Select Security > SSL/TLS Certificates.
      If you do not see the certificate, refresh the page.
    2. Select the certificate you created and click the download icon.
    3. In the Export Certificate page that appears, click Copy to clipboard against the certificate. Do not copy the key.
    4. Save the copied certificate for later use when you enable workload management.
  7. To upload a certificate, select Type as Import.
    1. In Certificate, click Upload File and import the certificate.
      The SAN field of the certificate you upload must have the cluster IP address or FQDN of the Controller.
      Note: Make sure that you upload or paste the contents of the certificate only once.
    2. In Key (PEM) or PKCS12, click Upload File and import the key.
    3. Click Validate to validate the certificate and key.
    4. Click Save.
  8. To change the portal certificate, perform the following steps.
    1. In the Avi Controller dashboard, click the menu in the upper-left hand corner and select Administration > Settings.
    2. Select Access Settings.
    3. Click the edit icon.
    4. From SSL/TLS Certificate, remove the existing default portal certificates.
    5. In the drop-down, select the newly created or uploaded certificate.
    6. Click Save.