Certificates on ESA

By default, ESA is configured with self-signed certificates, which can only be validated using self-signed CA certificate supplied in Log Forwarder configuration.

Note

Certificate Validation can be bypassed for testing purposes, see section: Install Log Forwarder via Terraform

In case ESA is configured with publicly signed certificates, this section can be skipped since the Log Forwarder will use public CA to validate ESA certificates.

To obtain self-signed CA certificate from ESA:

Download ESA CA certificate from the /etc/ksa/certificates/plug directory of the ESA
After certificate is downloaded, open the PEM file in text editor and replace all new lines with escaped new line: \n.
To escape new lines from command line, use one of the following commands depending on your operating system:
Linux Bash:
```
awk 'NF {printf "%s\\n",$0;}' CA.pem > output.txt
```
Windows PowerShell:
```
(Get-Content '.\CA.pem') -join '\n' | Set-Content 'output.txt'
```
Record the certificate content with new lines escaped.
ESA CA Server Certificate (EsaCaCert): ___________________
This value will be used to set pty_esa_ca_server_cert Terraform variable in installation section. Install Log Forwarder via Terraform

For more information about ESA certificate management refer to Certificate Management Guide in ESA documentation.

Feedback

Was this page helpful?

Last modified : April 27, 2026