About Secure Connections : About server certificates
  
About server certificates
Server certificate settings are under Optimization > SSL: Server Certificates.
Generally, you install certificates and their private keys on server-side appliances. You can install CA-signed certificates, or you can create your own self-signed ones. PKCS-12, PEM, and DER-format certificates can be uploaded. Optionally, you can paste the contents of PEM-format certificates and keys directly into the Management Console. Bulk import and export (if enabled) is supported, but you’ll need the decryption password when importing. When exporting, you have the option to include private keys and revocation lists.
PEM and DER-format keys are supported.
If your certificate includes the private keys, select the option to specify that. If the keys are in separate files, you’ll need to add them separately from the certificates.
If you want to generate self-signed certificates and keys, you’ll need to specify an RSA cipher level. To facilitate configuration, you can use wildcards in the common name: for example, *.mydomain.com.
Optionally, enable exportability if you want to export a certificate and its private keys. Bulk export is also available when exportability is enabled. These features are useful for backing up certificates and keys, or for copying to another appliance. However, security-conscious organizations might want to lock down their certificates and keys to prevent them from leaving the appliances on which they are configured.
For greater security, you can permanently disable the ability to export from the appliance all its installed certificates and keys by clicking the option to do so, and then confirming your choice. Before permanently disabling export, you must have a thorough understanding of the impact. Use caution and consider the following:
You can’t reenable export unless you perform a factory reset on the appliance (losing the configuration) or clear the secure vault.
You can’t export server certificates and private keys to other appliances.
Any newly added server certificates and keys are marked as nonexportable.
Disabling export also disables the ability to copy secure vault contents.
You can choose to use your organization’s CA to generate and sign server proxy certificates on a server-side appliance. Each peer client-side appliance must have the certificate of your CA added as a trusted entity. You’ll need to use the CLI directly on the appliance to configure this. You can’t use SCC because the CSR is generated on the appliance and, for security, its keys must not leave the appliance. Also, you’ll need to point client-side appliances to the server-side appliance. You can configure this using the CLI directly on the appliance or through SCC.
For production networks with many appliances, we recommend you use SCC or the bulk import and export feature to simplify configuring trusted peer relationships.
About Secure Connections
Preparing to configure TLS optimization
About certificate authorities
About certificate revocation lists
Riverbed Command-Line Interface Reference Manual