During installation, Entrust PKI Hub generates an insecure self-signed certificate for securing communications with Grafana, the Management Console, and the solution services. You must replace this certificate before running Entrust PKI Hub in a production environment.
TLS certificate subject names
The Entrust PKI Hub TLS certificate must include one of the following fields.
- DNS Subject Alternative Name (SAN)
- Subject Common Name (CN)
When both fields are present, the Subject Common Name is ignored.
TLS certificate algorithms
The Entrust PKI Hub TLS certificate must be generated using either:
- The RSA algorithm with a key length of 2048 bits or more.
- The ECDSA algorithm with a P-256 elliptic curve.
Issuing the TLS certificate
To get the Entrust PKI Hub TLS certificate, you can:
- Use your corporate PKI.
- Purchase the certificate at store.entrust.com. To generate the certificate request, Entrust provides an online form at entrust.com/resources/certificate-solutions/tools/open-ssl-csr-command-builder
Installing the TLS certificate
Run the clusterctl certificate command to install the Entrust PKI Hub TLS certificate.
When running Entrust PKI Hub in high availability, also install the TLS certificate in the load balancer.
Reusing as CA Gateway TLS certificate
If the CA Gateway solution is deployed, you can use the same TLS certificate for Entrust PKI Hub and CA Gateway.
See the CA Gateway configuration reference for how to select this TLS certificate in CA Gateway.