The following topics describe how to replace the default self-signed security certificates for
PowerProtect Data Manager with certificates from an approved CA. You can replace the certificates for the UI server and the REST API.
Regardless of the method that you select, if the UI continues to present the default self-signed security certificates,
Restart the web service provides instructions.
Prerequisites
The new host certificate must:
Contain the
PowerProtect Data Manager server fully qualified domain name in the Subject Common Name (CN) and Subject Alternative Name (SAN) fields.
Not contain the
PowerProtect Data Manager server IP address in the SAN field.
Providing security certificates over HTTPS is secure enough for most environments. Where additional precautions are required, use the manual method to replace the certificates.
Replacing the security certificates through the
PowerProtect Data Manager UI requires a private certificate in PKCS#1 (RSA) PEM format and a public certificate chain in PEM format.
The CLI method requires a private key in PKCS#1 (RSA) PEM format and a public certificate chain in PEM format. Use a secure method to transfer the certificates and keys to the
PowerProtect Data Manager server.