Communications between the FTK Self-Host Service and its browser-based end-user interface require the use of a certificate. 

The certificate must meet the following requirements:

• The certificate format must follow the X.509 standard and be RFC 5280 compliant.

• The signature algorithm used for the certificate must be sha256RSA (SHA-256).

• The Private certificate must be provided in a password-protected .PFX format.

• The X509v3 KeyUsage section of the certificate must contain the Digital Signature and Key Encipherment attributes.

• The X509v3 ExtendedKeyUsages section of the certificate must contain the serverAuth attribute.

• The Subject Alternative Name (“SAN”) should include the FQDN of the host where the certificate will be used, as well as any aliases that might be necessary.

Note: Some implementations may require the purchase of a properly configured certificate from a commercial Certificate Authority.