As explained in Initializing CSP DB Appliance, the web browser will display a warning when you first log in to the user interface because the default TLS certificates are self-signed. See below for instructions on replacing this default certificate.

In a PKI DB Appliance cluster, the TLS certificate of every node must share the same CA certificate chain configured with the clusterctl database set appliance command.

To replace the default TLS certificate of a PKI DB Appliance node

  1. Generate a PKCS #12 containing a key pair and a certificate with the following properties.
    • Subject Alternative Names (SANs): the IP address of the appliance, the DNS short hostname, the DNS long (fully-qualified) hostname, the dbappliance literal. 

    • Extended key usages: Client Authentication, Server Authentication (do not add extra ones).

  2. Open a web browser at the URL obtained when Running PKI DB Appliance.

    Do not omit the "https" prefix of the URL.

  3. Navigate to CLUSTER > Servers.
  4. Select Actions > Install certificate.
  5. Configure the values in the Install Custom SSL Certificate dialog. 
  6. Click Install Certificate.
  7. Select the current node in the nodes list. 
  8. Click Restart Web Service.
  9. Click Proceed on the confirmation dialog. 
  10. Log in to the user interface.
  11. Navigate to CLUSTER > Servers.
  12. In the Certificate field, check that the certificate type has switched from Default to Custom.
  13. If the CA certificate chain of the certificate has changed, run the clusterctl database set appliance to update it on PKI Hub. 

Certificate

Configure the following values on this tab.

Setting

Value

​SSL Certificate

A PEM file containing the SSL certificate

CA Certificate

A PEM file containing the CA certificate of the SSL certificate

Web server

Click External to replace the API and user interface certificate. Click Internal to replace the internal web server certificate. 

Private key

Configure the following values on this tab.

Setting

Value

Private key

A file containing the private key of the SSL certificate

Password

The password of the private key, if any.