Best Practices

The following are the best practices:

  • For auto-enrollment, create a separate certificate group and CA policy in AppViewX.

  • Enable auto-renewal in the AppViewX policy.

  • During policy creation, select only required bit-length (minimum 2048 bit).

  • For machine enrollment, define an expected domain name in the CA policy for machine CSR (for example, *.appviewx.com) to avoid issuing certificates for different domain machines.

  • Recommended to use TLS authentication with AppViewX EST clients.

  • Recommended to use only private/internal CA as trusted for client authentication (Not recommended to use public CA as trusted to validate clients).

  • Select appropriate certificate type: Server or Client (Select Server only if it is a server certificate and Client for machine and user certificates).

  • The recommended validity for the issued certificate is one year.

  • Use the trusted CA-signed certificate in a gateway for EST URL.