Orchestrator certificates

To prevent MITM (man-in-the-middle) attacks, when communicating with the orchestrator, the CPE device checks whether the orchestrator certificate can be trusted. By default, root certificates of public certificate authorities are installed on devices.

If your orchestrator is using a certificate signed by a public certificate authority, you do not need to install an additional certificate on the devices. Otherwise, you must add the public root certificate used by the orchestrator on the devices by uploading the certificate to the orchestrator web interface.

Regarding certificate management, consider the following:

• Each time a new certificate is uploaded in the orchestrator web interface, the certificate is automatically distributed to CPE devices.
• When you first activate a CPE device using a web address, the certificate uploaded to the orchestrator is automatically installed on the device.
• 30 days before the certificate expiration date, the orchestrator begins displaying a notification each time a user authenticates in the orchestrator web interface.