Certificates used by the appliance are public key certificates known as X.509 certificates. These encryption keys are associated with a specific identity or organization, and they allow the identity of the certificate holder to be verified. Identity verification is an important component of ensuring secure communication. Without it, it is possible for even encrypted communication to be redirected or compromised by an untrustworthy third party.

Certificates include information such as the hostname they are to be used with, a digital signature from a certificate authority, a start date, and an expiry date. To be considered valid, a certificate must:
  • not yet be expired.
  • have a digital signature from a trusted certificate authority.
  • have a hostname associated with it that matches the hostname of the machine that is using the certificate.
    Note If your web appliance has several hostnames associated with it, it is important that you ensure the hostname presented to other machines matches your certificate(s) exactly.

By default, the web appliance uses what is known as a self-signed certificate. A self-signed certificate is a certificate that has been signed by the creator of a certificate, rather than by a third-party CA. This can be useful for providing encryption functionality when verification of the host’s identity by an external CA is not needed. In this case, the host acts as its own CA. This can be the case when the web appliance needs to verify its identity to a limited set of hosts, such as communication within a company, or with business partners.