SCC Certificate Authority settings are under Administration > Security: Certificate Authority. The SCC includes a certificate authority (CA) service. You can configure the SCC CA as a private root CA or an intermediate CA that is trusted within your organization. The SCC CA service enables you to issue these types of certificates to managed appliances:

Managing certificates for secure protocol optimization and HTTPS web proxy can be daunting and time-consuming. The SCC CA service provides a way to simplify, streamline and automate certificate management from the SCC Management Console. Using the SCC CA service, you can:

Using SCC to configure and manage secure peering trust relationships among managed appliances eliminates the need to configure those relationships on each appliance, one at a time. When you replace the secure peering certificate on a managed appliance with a certificate issued by the SCC CA, the SCC CA becomes a trusted entity on that managed appliance. Subsequently, that appliance automatically trusts all peers that have a issued by the same SCC.

The SCC CA can only be used to issue certificates and implicitly signs all certificates it issues. Using and trusting only CA-signed certificates increases the security of your fleet of managed appliances. You can't submit a Certificate Signing Request (CSR) through the SCC Management Console to have a certificate signed by the SCC CA. The CA purpose must be set to TRUE to use it with the SCC CA service. Here’s an example for a root certificate where the extension is a CA: