locked
Internal Certificates or default self-signed RRS feed

  • Question

  • Since auto-enrollment is not supported what is the best practice for ATA agent installations? While we know internal certificates typically are more secure, this seems counterproductive if you have to install a new cert when it expires and you have a large number of DC's?

    My questions --

    1 -- Are there any plans to just move to self-signed as the default?

    2 -- Will auto-enrollment be supported in the future?

    3 -- What advantages does internal provide over self signed when it comes to ATA agent to ATA Center communications?

    Saturday, August 26, 2017 1:09 PM

All replies

  • In ATA 1.8+ it works exactly like that for GW-Center communication:

    Self signed certs, auto replaced (not renewed) when expired.

    The user don't need to do anything about it.

    For existing (upgraded) GWs, the current certs are remain until expired, then replaced by the new self signed.

    If you uninstall/reinstall a GW, you are actually transferring immediately to self signed.

    Saturday, August 26, 2017 6:38 PM
  • Ok I think thats the rumor I heard about 1.8. So whats the downside to using self-signed or is that the preferred method you think?
    Saturday, August 26, 2017 11:32 PM
  • We thought that this is the preferred way as we try to make ATA self managing as possible, and this approach allows this. Data is still encrypted using the Center's certs, which you cause your own if you like.  
    Sunday, August 27, 2017 11:07 AM