Best Practices

For auto-enrollment, create a separate certificate group and CA policy in AppViewX.

Enable auto-renewal in the AppViewX policy.

During policy creation, select only required bit-length (minimum 2048 bit).

For machine enrollment, define an expected domain name in the CA policy for machine CSR (for example, *.appviewx.com) to avoid issuing certificates for different domain machines.

Recommended to use TLS authentication with AppViewX EST clients.

Recommended to use only private/internal CA as trusted for client authentication (Not recommended to use public CA as trusted to validate clients).

Select appropriate certificate type: Server or Client (Select Server only if it is a server certificate and Client for machine and user certificates).

The recommended validity for the issued certificate is one year.

Use the trusted CA-signed certificate in a gateway for EST URL.