The Controller must send a certificate to clients to establish secure communication.
The Controller has a default self-signed certificate. You must delete it and upload a new certificate or create a self-signed certificate.
For more information about certificates, see the Avi documentation.
Procedure
- In the Avi Controller dashboard, click the menu in the upper-left hand corner and select Administration.
- Select .
- Click the edit icon.
- Delete the default self-signed certificate in SSL/TLS Certificate.
- From the SSL/TLS Certificate drop-down, select Create Certificate.
The
Add Certificate (SSL/TLS) window appears.
- Enter a name for the certificate.
- To add a self-signed certificate, select Type as
Self Signed
.
- Enter the following details:
Option |
Description |
Common Name |
Specify the fully-qualified name of the site. For the site to be considered trusted, this entry must match the hostname that the client entered in the browser. |
Subject Alternate Name (SAN) |
Enter the cluster IP address or FQDN of the Controller. |
Algorithm |
Select either EC (elliptic curve cryptography) or RSA. EC is recommended. |
Key Size |
Select the level of encryption to be used for handshakes:
SECP256R1 is used for EC certificates.
- 2048-bit is recommended for RSA certificates.
|
- To download the self-signed certificate that you create, select .
- Select the certificate you created and click the download icon.
- In the Export Certificate page that appears, click Copy to clipboard.
You need this certificate when you enable workload management.
- To upload a certificate, select Type as
Import
.
- In Certificate, click Upload File and import the certifcate.
The SAN field of the certificate you upload must have the cluster IP address or FQDN of the Controller.
- In Key (PEM) or PKCS12, click Upload File and import the key.
- Click Validate to validate the certificate and key.
- Click Save.