During installation, Cryptographic Security Platform generates an insecure self-signed certificate for securing communications with Grafana, the Management Console, and the solution services. You must replace this certificate before running Cryptographic Security Platform in a production environment.
TLS certificate fields
Use the following fields to set the Cryptographic Security Platform hostname or IP address in the TLS certificate.
- Subject Alternative Name (SAN) extension.
- The Common Name (CN) field of the certificate subject.
When both fields are present, the Subject Common Name is ignored.
TLS certificate algorithms
The Cryptographic Security Platform TLS certificate must be generated using either:
- The RSA algorithm with a key length of 2048 bits or more.
- The ECDSA algorithm with a P-256 elliptic curve.
Issuing the TLS certificate
Use your corporate PKI to issue the Cryptographic Security Platform TLS certificate.
Installing the TLS certificate
Run the clusterctl certificate command to install the Cryptographic Security Platform TLS certificate.
When running Cryptographic Security Platform in high availability, also install the TLS certificate in the load balancer.
Reusing as CA Gateway TLS certificate
If the CA Gateway solution is deployed, you can use the same TLS certificate for Cryptographic Security Platform and CA Gateway.
See Configuring and deploying CA Gateway for selecting this TLS certificate in CA Gateway.