Installing the SMC with external certificate management

When you install the SMC, you can use certificates issued by an external CA for internal TLS communication between system components.

Using certificates issued by an external CA allows you to use your own established internal CA infrastructure to generate certificates for communication between components. Certificate revocation checking is also supported. If any devices are compromised, the certificates associated with them can be revoked and replaced centrally using the external certificate management system.

The following limitations apply:

• In SMC 6.10, this feature is only available when you use the SMC Appliance.
• You can only configure the SMC to use external certificates when you install the SMC. It is not possible to change to using external certificates in an existing installation.
• To use certificate revocation lists (CRLs) or online certificate status protocol (OCSP) servers, you must configure a DNS server.
• We recommend that you configure an NTP server so that the time settings for the SMC are accurate when checking validity times for certificates, CRLs, and OSCP servers.
• The Management Server and Log Server services do not start immediately after installation because the components do not yet have certificates.
• You must complete the following actions after installation before you can start using the SMC:
  • Import the external CA certificate.
  • Generate and export certificate requests.
  • Sign the certificates using the external CA.
  • Import the signed certificates.
• Only the ECDSA public key algorithm is supported.