<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1110556&amp;fmt=gif">
Skip to content
Meet Our Experts Customize My Content Contact Us
      June 22, 2021

      What Kind of Certificates Should I Use for Automic Automation v21?

      Written by: Oana Botez
      Key Takeaways
      • Select appropriate certificates for secure communication, enhancing the safety of your automation processes.
      • Utilize trusted certificate authorities to ensure the validity and reliability of your security certificates.
      • Monitor certificate expiration dates to proactively manage renewals and prevent service disruptions.

      The next version of Automic Automation mandates TLS/SSL for communications between the engines, Automic Web Interface (AWI), and most agents. Customers have to decide what type of certificates they will use to secure the communications across Automic.

      A public-key certificate contains information like name, hostname/domain name/IP address, validity period, the location that can be used to identify the owner (server), and the public key that the client uses to verify the server. By signing the certificate with a digital signature, for example, Public Certificate Authority (CA), you can ensure that the certificate is valid and trusted by all clients who trust this CA.

      The Automic Automation TLS/SSL implementation uses public-key certificates in X.509 format and TLS version 1.2 for secure connections between the server and AWI/agents.

      There are several questions that customers need to ask before moving to Automic Automation v21:

      • Does your company already use certificates signed by a third-party CA, and can they also be used for Automic?
      • Do you need to comply with strict security standards when using Automic Automation, especially in production environments?
      • Who is going to be responsible for managing the certificates? Is there a dedicated person/team for the Public Key Infrastructure (PKI) in the company?
      • Who will be responsible for installing/distributing certificates and configuring TLS/SSL for Automic Automation?
      • How many certificates will you need? Is it just a couple for your Automic servers, or do you have to manage multiple servers spread across many locations and need to have a centralized view?
      • How important is connection security? What’s the worst that could happen if a certificate is expired or is compromised?

      Based on your company’s requirements and resources, three main types of TLS/SSL certificates are available to secure communications.

       

      Certificates Signed by a Public Certificate Authority

      The main benefit of using certificates signed by a Public CA (DigiCert, Microsoft, Let’s Encrypt, ...) is that they are usually already trusted by many operating systems or applications, thus eliminating the effort of deploying them to all clients.

      The root certificates of these authorities, or intermediate ones signed by the root CA, are often installed as trusted certificates in the Windows certmgr, Unix OpenSSL truststore, or the Java trusted Keystore cacerts.

      A CSR (Certificate Signing Request) must be created and sent to the responsible authority to have certificates signed by a CA. Typically IT departments take care of CSRs, and public CAs offer APIs to send CSRs.

      Commercial CA certificate renewal can be done either by using vendor-specific tools or via their website.

       

      Certificates Signed by an Internal Certificate Authority

      For testing purposes or applications that are not Internet-facing, another alternative uses the benefits of having CA-signed certificates without turning to third-party vendors - creating your own Certificate Authority.

      The root certificate of the internal CA can then be used to sign certificates for hostnames and domains within the company. A CSR request is required to sign other certificates with this CA.

      Certificates signed by an internal CA can be renewed by re-using the previous private key/CSR to create a new server certificate.

       

      Self-Signed Certificates

      While using self-signed certificates gives you the flexibility to manage your security without being a TLS expert, renewing and distributing them is your responsibility.

      There are plenty of free tools to generate self-signed certificates, like Java’s keytool, openssl, or via the UI of KeyStore Explorer. To renew self-signed certificates, you will need to replace the old certificates with new ones.

       

      What To Do Next

      The decision of which kind of certificates to use for your Automic systems should be carefully considered, as it determines not only how secure the connections will be but also influence the amount of time you need to invest in renewing and deploying the certificates.

      Sometimes, a combination of the above might be the best way to go, depending on your security needs and knowledge of TLS/SSL.

      We have created a series of guides to walk you through the creation and deployment of certificates across a new Automic Automation v21 installation:

      Tag(s): Automation , Automic Automation , Upgrading

      Oana Botez

      Oana is a Product Owner at Broadcom with responsibility for the Automic Automation product and has a background in Software Engineering. Her current focus is on improving security by implementing modern standards like TLS/SSL and on delivering the first container-based solution of Automic.

      Other resources you might be interested in

      icon
      Solution and Capabilities Briefs December 5, 2025

      Carrier-Grade Network Observability: A Technology Brief for Telco Network Operations

      Network Observability by Broadcom unifies data to provide contextual, AI-enabled insights for superior service availability, accelerated MTTR and improved MTTI, reduced operational costs, and the...

      Read Technology Brief
      icon
      Blog December 3, 2025

      You've Found the Waste In Your Network Operations. Now What?

      Leverage the Six Sigma framework to gain a roadmap for converting network data into permanent optimizations. Start systematically eliminating network issues.

      Read Blog
      icon
      Blog November 26, 2025

      The Silent Sabotage of Configuration Drift

      See how manual network changes lead to configuration drift, which can cause security holes, compliance violations, and network outages.

      Read Blog
      icon
      Course November 25, 2025

      AAI - Configuring & Responding to Jobstream Alerts

      This course walks you through how jobstream alerts work in AAI, and how to tailor them to your workload needs.

      Go to Training
      icon
      Office Hours November 25, 2025

      Rally Office Hours: November 20, 2025

      Get the scoop on the latest Rally updates, including new AI features, customizable planning boards, and essential tips for managing service accounts and custom views.

      View Recording
      icon
      Course November 24, 2025

      AAI Fundamentals

      Gain a solid introduction to Automation Analytics and Intelligence (AAI)—a powerful platform that unifies and optimizes automated workflows across complex IT environments.

      Go to Training
      icon
      Blog November 19, 2025

      Is Your Network Modernization Frozen by Fear?

      See how the “if it ain’t broke, don’t fix it” mindset delays many network modernization projects. Employ network observability and migrate with confidence.

      Read Blog
      icon
      Blog November 13, 2025

      The Seven Wastes of Network Operations

      Discover the seven common areas of waste in network operations, and see how network observability helps you systematically eliminate this waste.

      Read Blog
      icon
      Blog November 13, 2025

      Your NOC's Most Important New Skill? Ignoring Things

      See why collecting more data has backfired, creating alert fatigue and burying critical problems in noise. Harness observability to focus on what’s relevant.

      Read Blog