When you enable encryption with key servers, two types of certificates are required to ensure secure communication between the system and the encryption key server.
In general, certificates are the primary method that is used by the key servers to authenticate the system and for the system to authenticate to the key servers. The exchange of these certificates verifies that access to the encryption keys that are stored on the key servers is permitted. The authentication of the system ensures that the key servers do not give access to keys to an untrusted party. The authentication of the key servers ensures that the system does not ask for sensitive keys to be stored by an untrusted party. Security of the system relies on two factors. First, the public certificates of the key servers and the system must be exchanged securely so that each device can trust the other. Second, the key servers and the system must keep their private key, which is associated with the certificate, secure.
The key server certificates, which are used by the key servers to verify the system, require that the certificate authority (CA) or self-signed certificate to be transferred to the system. The key servers can use either a certificate from a trusted third party, called a certificate authority (CA), a self-signed certificate that is created on the key servers, or both these types of certificates can be used. If multiple key servers are configured and use the same CA certificate, upload the single CA-signed certificate, which covers all of the key servers. If the key servers use self-signed certificates, the certificates must be uploaded separately to the system. Any self-signed certificates take priority over any CA-signed certificate that is installed on the system for the key servers. In addition, a system encryption certificate must be installed on each of the configured key servers. The key server administrator accepts the certificate to grant access to the key server. The system encryption certificate can also be a self-signed certificate or from a certificate authority. To configure system encryption certificates for secure communications, select .