Open Documentation Menu

Certificate

A certificate is required to ensure secure communication between the web client and the servers (https). The certificate should be issued by a certification authority (CA). We do not recommend using self-signed certificates. If you also want the system to be accessible outside your organization, the certificate must be issued by an official certification authority.

The certificate must have the following properties:

  • Web server certificate

  • Signature hash algorithm: at least SHA-256

  • Subject alternative name (SAN):

    • Fully qualified domain name (FQDN)

    • DNS alias

  • Key usage:

    • Digital signature

    • Key encryption

  • Extended key usage:

    • Server authentication

Never use the host name without the domain name in a certificate. Use only the FQDN of the system or DNS aliases (also only as FQDNs). Please note that for the top-level domain (TLD) “.local”, a certificate cannot be issued by an official certification authority. The same applies to other reserved TLDs.

Certificate revocation lists (CRL) are required to verify validity. The CRLs must be accessible by both the client and the server. Certificates from an official certification authority use CRL servers from the internet.

The certificate is required together with the certificate chain in P12 or PFX format and must be password-protected. For the password, please use only Code Page 850 characters, because some products cannot import certificates with different characters in the password.

The certificate must be exportable.