Signing Cybersecurity Admin Expert certificates

Device certificates are required to enable encrypted communication between devices within the system network. For more information on Cybersecurity Admin Expert (CAE) certificates, see Cybersecurity Admin Expert certificate management.

Certificate Policy

For the manual enrollment of the devices and software (including CAE itself) within the system network, CAE lets you define the certificate policy to be applied.

To define the certificate policy of the system, go to Security Settings > Certificate Management > Certificate Policy, and then choose one of the following digital certificate modes:

  • Self-signed
    For systems not supporting PKI (no Certificate Authority). The device certificates are self-signed.
  • PKI only
    The devices and software, including CAE, are enrolled in the Certificate Authority (CA).
  • PKI
    Same as PKI only, except that it also accepts some devices/software that are not enrolled in the CA.

NOTE: PKI and PKI only certificate modes need to have CAE enrolled and get a CAE signed certificate.

To enroll CAE manually:

  1. In Security Settings > Certificate Management > Certificate Policy, click Generate CAE enrollment request to generate a Certificate Signing Request (CSR) for CAE.
  2. Submit the Certificate Signing Request (CSR) to the Certificate Authority and get the CAE certificate signed.
  3. Add the CAE signed certificate to your Windows Certificate Store.
  4. See the following table for certificate policy parameters.

Certificate policy parameters

Label Description Content
Certificate mode

Available modes are:

  • Self-signed
  • PKI
  • PKI only
 Self-signed by default
Enforce certificate expiration

ON: Expired certificates will not be accepted.

OFF: Expired certificates will be accepted.

 OFF by default
Enable certificate revocation
(NOT configurable for self-signed certificates)

Checks whether the certificate is revoked by the CA or not.

ON: Enabled

OFF: Disabled

 OFF by default
Enforce certificate status check
(NOT configurable for self-signed certificates)

Revoked certificates will be rejected.

ON: Enabled

OFF: Disabled

 OFF by default