This article assumes that the user has upgraded their Identity Server (IDS) to at least version 2.13.2 and edge devices to at least version 2.15.1. It also assumes that the user has a custom CA certificate to use with their devices.
On the IDS navigate to the "Settings" tab and click on "Certificates"
Click on "Upload new certificate". Copy and paste the certificate pieces from the user's custom CA certificate to the "Public Key Certificate" text box. Include the "----BEGIN CERTIFICATE----" and "----END CERTIFICATE----" sections.
Copy and paste the private key from the user's custom CA certificate to the "Private Key" text box. Include the "----BEGIN PRIVATE KEY----" AND "----END PRIVATE KEY----" sections.
Click "Apply" beneath the text boxes. Navigate back to the "Home" tab of the IDS and click on the "Restart Server" button.
After the server has restarted, you should be able to verify that the IDS is using the new certificate. In your web browser click on the "Not secure" or the Lock icon in the address bar, and then click on the "Certificate". The example shown is on Google Chrome.
The factory default certificate would list "PrincetonIdentity" next to both "Issued to:" and "Issued by:" as shown below. The custom installed certificate should show other values for this certificate information.
Now that we have installed the custom certificate on the IDS, we need to install it on the devices that will connect to that IDS.
Navigate to the web page of the device that you would like to connect to the IDS. You can either navigate directly using the device's IP address, or if you have previously connected the device to the IDS you can use the system page.
On the device's webpage, navigate to the "Settings" tab and then click on "Certificates". Click on the "Upload new CA certificate" button shown below.
Using the user's custom certificate, copy and paste both certificate sections into the "CA certificate" text box.
Click Apply. You should now see 2 certificates displayed on the Certificates page. A default one titled "Certificate" and the new one titled "CA Certificate". This is shown below.
Navigate to the "Diagnostics" page and click on "Take offline for diagnostics". Once the device is offline and the options appear on this screen, click on the "Reboot" link
Wait for the device to restart.
When it reboots, log in and navigate to the "Settings" tab and click on "Time". Set the time to be the current date and time.
Note: the device may reboot to a date that is months prior to the current date. This may cause the certificate to be out of the valid issue date, and cause the device to not be able to connect to the IDS. This is why the time must be set after it is manually rebooted.
After the device has rebooted and had the time set properly, you may need to log in again.
Navigate to the home screen and click on "Connect to Identity Server".
In the "Remote server" box type in the Hostname of the IDS followed by ":8443". In the example below the string is "https://princeton.princetonidentity.com:8443". Then type in the administrator credentials, and select "Refuse self-signed certificates" from the "Security" drop down box.
Note: The host name must be used for the certificate to work properly. The IP address cannot be used.
Click on "Test Connection". If the devices have been set up properly you should see a green check mark and "Connection successful". Click on the "Save" button to save the connection details. If the devices cannot communicate, the webpage will say "Failed to authenticate with remote server" after clicking on "Test connection".
Congratulations, your edge device and IDS are now set up properly to use a custom CA certificate. If you have more devices, the edge device portion of this procedure needs to be repeated for each unit.