HTTPS Certificates Setup
CVP uses nginx to front and terminate all HTTPS connections. To support HTTPS, the server must be configured with a certificate. A self-signed certificate is generated at first bootup.
The guidelines to import a certificate are:
- Correctly fill the Subject Alternate Name (SAN) IP and DNS fields in both signed and
self-signed certificates:
-
The SAN IP field must contain the IP addresses of all CVP cluster nodes; and the IP address of any IP load balancer used in front of CVP.
-
The SAN DNS field must contain the Fully Qualified Domain Name (FQDN) of the following elements:
- All CVP cluster nodes
- Any Canonical Names (CNAMES) and round-robin DNS names
- Any IP load balancer used in front of CVP
Note: Zerotouch Provisioning (ZTP) and REST API calls can fail if signed certificates are uploaded without appropriate data in SAN fields. -
- When importing a CVP certificate signed by an internal Certificate Authority (CA), the uploaded file must sequentially contain the full trust chain of PEM-encoded certificates like a server certificate, all intermediate certificates (if available), and a root certificate.
- Leave an empty line between every two certificates when importing multiple
certificates into a single file. Note: Do not leave an empty line at the end of the file.
- If the server certificate is self-signed then the server and root certificates are one-and-the-same, so only that single certificate is required.
- CVP does not support wildcard certificates.
To install an HTTPS certificate, navigate to the Settings page (Click on the gear icon) > Certificates (See the figure below).

Install the certificate using one of the following methods:
Generating and Installing Self-Signed Certificate
Installing Public Certificate
Creating a CSR
A server Certificate Signing Request (CSR) file can be created by either your internal CA (along with an associated server key) or via CVP.