Console Certificate

When you deploy an instance of AM, communication between the browser and the Security Console, Operations Console, and Self-Service Console is secured by a long-lived secure socket layer (SSL) certificate. This certificate is signed by an internal RSA certificate authority (CA). Because this CA is self-signed, your browser may present a warning message that the default certificate cannot be verified.

Replacing the console certificate with a certificate issued by a third-party CA is optional. However, you might need to replace the console certificate for the following reasons:

• Your network policy requires that you use certificates issued by another CA.

• Your existing certificate is expired.

In the certificate chain you obtain from a third-party CA, each X.509 version 3 CA certificate must have the Basic Constraints extension CA field set to TRUE. If any X.509 version 3 CA certificate in the chain does not have the Basic Constraints extension properly set, AM rejects the certificate. If this happens, contact the certificate authority to resolve the issue.

A certificate issued by a third-party CA may be valid for only 1 to 2 years. You must ensure that a third-party certificate is replaced before it expires. When the console certificate expires, you cannot start the AM services after they are stopped.

If you stop the services on an instance with an expired certificate, you must replace the expired certificate with the default certificate that was installed when the instance was deployed.

For an overview of the replacement process, see Replacing the Console Certificate.

Note:  AM uses internal SHA-256 certificates for communication between AM components, such as primary and replica instances and the web tier. If you upgrade to AM 8.2, you can run a command-line utility that upgrades the internal certificates to SHA-256. Upgrading these certificates to SHA-256 is not required. For instructions, see Upgrade Internal Authentication Manager Certificates to SHA-256.