Certificates
For securing the communication between the SafeGuard Enterprise Server and the SafeGuard Enterprise protected endpoint with SSL, a valid certificate is required. You can use the following certificate types:
A self-signed certificate
If you manage Mac and Windows endpoints, you have to use a certificate with proper key usage extensions. Starting with macOS 10.12, Apple only allows certificates that meet these requirements for establishing an SSL connection.
You can create a certificate with proper extensions in IIS when you configure the SGNSRV web page for SSL, see Configure the SGNSRV web page for SSL.
A certificate issued by a PKI with a private or a public root certificate
BKD 
WinClient 
macClient
Technically it makes no difference whether you use a certificate with a public or a private root certificate.
If a certificate created by a public PKI is available but not the PKI infrastructure, you cannot use this certificate to secure communication with SSL. In this case you need to set up a PKI infrastructure or create a self-signed certificate.If you want to use a PKI-generated certificate for SSL communication, create a certificate for the machine that is running the SafeGuard Enterprise Server. The following requirements apply:
- The certificate name must correspond to the machine that is shown at the top node in the Internet Information Services (IIS) Manager.
- The certificate must be issued to the machine using its FQDN name. Make sure that the client is capable of resolving the FQDN per DNS.