How To Add a Third Party Certificate to a Cloud Service Appliance

Version 26

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.xEndpoint Manager 2018.x

    If a  2048-bit  SSL certificate is required on a Cloud Service Appliance, you will need to purchase such certificate from a third party. See SSL Certificate Requirements here: SSL Certificate Requirements for LANDESK Cloud Service Appliance.




       1. To check CSA version, login to your CSA and click the About button on the left-hand side. If version is 4.3.1-173 or higher, proceed to "Setting CSA to SHA2/SHA256"

       2.  If CSA version is lower than 173, there are 2 ways to update the CSA:

             a. Update through web browser -    

                   i. login to the CSA

                   ii. select System button from the left-hand side.

                   iii. select the Updates tab.

                   iv. Click the "scan for updates" button.

                   v. Click the check box next to the update and then click the "Apply Updates" button.

            b. Manually update the CSA - How To Download and Patch the Cloud Service Appliance ( CSA ) version 4.3/4.4 manually


    The CSA will likely still be set to SHA1. It needs to be set to SHA2/SHA256 before uploading the cert. The steps for that are below:


    Setting CSA to SHA2/SHA256

    1. On the Gateway Service Page change the "Server Encryption Digest Algorithm" to SHA256
    2. Change "TLS minimal protocol level" to "TLSv1.1"
    3. Click Save.
    4. On the Manage LDMG Certificates Page click "remove" next to both self-signed certificates
    5. Reboot appliance
    6. Click "remove" next to any self-signed certificates left
    7. On the Manage LDMG Certificate page  click "Add LDMG Certificate" paste in end-entity certificate information
    8. Reboot appliance


    Uploading the cert to the CSA

    1. Login to the CSA
    2. Go to "Manage LDMG certificates"
    3. Click "Create CSR"
    4. Enter information as required. Most vendors will now provide a SHA256 even if you request SHA1. Click the "Create" button.
    5. This will take you back to the Manage LDMG certificates page. Under type, find "Request". Click the display link on the "Request" line.
    6. Copy the text out of the popup window. This is the text you'll provide the vendor.
    7. Submit the request to the vendor. Once you receive your certificate back, proceed to next step.
    8. Typically the vendor will send a bundle. Open the bundle cert in a text editor (we recommend Notepad ++ for PC and TextWrangler for Mac). Copy all the text including the ---BEGIN and ---END.  If the vendor does not send a bundle certificate you will need to manually paste the certificates together into a chain in the order below.

    3-cert Bundle                          4-cert Bundle
    End Entity (server cert)              Server
    Intermediate                             Intermediate 2
    CA                                           Intermediate 1

                                                   CA Root


    1. Log back into the CSA and navigate to the "Gateway service" button.
    2. Make sure the server digest algorithm matches the certificate. Apply any changes and make sure to click the Save button.
      1. How to apply a SHA2 Certificate to the 4.3 CSA
    3. On the Manage LDMG Certificates Page click "remove" next to both self-signed certificates
    4. Reboot appliance
    5. Click "remove" next to any self-signed certificates left
    6. On the Manage LDMG Certificate page  click "Add LDMG Certificate" paste in end-entity certificate information
    7. Reboot appliance


    Note: After the 3rd part cert is applied to your CSA; go into LDMS - Configure - Manage Cloud Service Appliance. With the 3rd party cert, the external name and internal name for the CSA must be the same for the 3rd party cert to work. They will both need to be the same name found on the 3rd party cert. This is usually the external name.


    Note: If you forgot to save the changes after the drop-down in step 10 and lose access to the CSA, follow the steps below, and then reapply this document.


    1. Open Putty.exe (included with LDMS console installations). You can also download putty from
    2. Once opened, you should be on the session tab. Enter the host name or IP address of the CSA. Be sure that SSH is checked and you are using port 22.
    3. Login with the admin username and password.
    4. Type sudo su / sudo -s
    5. Type the admin password
    6. cd /root/.certs
    7. Delete the all certificates with the rm command.(Leave the .broker-priv.key, and the .0 file and .key file)
    8. Reboot, and you should be able to login to the CSA again.