Server certificate settings are under Optimization > SSL: Server Certificates.

Generally, you install certificates and their private keys on server-side appliances, and you can either use CA-signed certificates or create self-signed ones. The appliance supports uploading certificates in PKCS-12, PEM, and DER formats, or you can paste PEM-format certificates and keys directly into the Management Console. Bulk import/export is supported, though you'll need the decryption password for importing and have the option to include private keys and revocation lists when exporting.

If your certificate includes private keys, you must specify that during installation. If the keys are separate from the certificates, you need to add them individually. Starting from RiOS 9.16.0, both ECDSA and RSA signing are supported.

To generate self-signed certificates and keys, you'll need to specify an RSA cipher level. Wildcards (for example, *.mydomain.com) can be used in the common name for easier configuration.

You can optionally enable exportability for certificates and keys, which is useful for backing them up or transferring them to other appliances. However, to maintain high security, you can disable the ability to export certificates and keys permanently. This action cannot be undone unless you perform a factory reset or clear the secure vault. If export is disabled, you also cannot copy secure vault contents, and newly added certificates and keys will be marked as non-exportable.

For organizations with their own Certificate Authority (CA), you can configure the server-side appliance to use your CA to generate and sign server proxy certificates. Client-side appliances must have your CA’s certificate added as a trusted entity, and this configuration is done through the CLI, not SCC. For larger networks, we recommend using SCC or the bulk import/export feature to simplify trusted peer configuration.