# Assigning a certificate After you add a certificate to a Site, you can assign it to a RAS Secure Gateway, HALB, Connection Broker API server, Connection Broker API data encryption, or a combination, depending on the usage type that you specified when you created the certificate (described at the [beginning](/landing/ras-admin-guide/parallels-ras-21-administrators-guide/ssl-certificate-management/generating-a-self-signed-certificate.md) of this section). More on the certificate **Usage** option below. ### **Certificate usage** Certificate **Usage** is an option that you specify when you create a certificate. When setting this option, you can choose from the following: * **Secure Gateway**: If selected, makes the certificate available for RAS Secure Gateways. * **HALB**: If selected, makes the certificate available for HALB. * **Connection Broker API server**: If selected, makes the certificate available for Connection Broker API integration. * **Connection Broker API data encryption**: If selected, makes the certificate available for API data encryption. You can select one of the options above or a number. For details on how to create a certificate and choose these options, please see [Generating a self-signed certificate](/landing/ras-admin-guide/parallels-ras-21-administrators-guide/ssl-certificate-management/generating-a-self-signed-certificate.md) and [Generating a certificate signing request (CSR)](/landing/ras-admin-guide/parallels-ras-21-administrators-guide/ssl-certificate-management/generating-a-certificate-signing-request-csr.md). When you configure SSL/TLS for a RAS Secure Gateway, HALB, or Third-Party API later, you need to specify a certificate. For the information on how to do this, please see [SSL/TLS encryption](/landing/ras-admin-guide/parallels-ras-21-administrators-guide/ras-secure-gateway/configuring-a-ras-secure-gateway/ssl-tls-encryption.md) and [Configuring HALB in the RAS Console](/landing/ras-admin-guide/parallels-ras-21-administrators-guide/load-balancing-and-halb/high-availability-load-balancing-halb/adding-a-halb-virtual-server.md). When you select a certificate, the following options will be available depending on how the **Usage** option is configured for a particular certificate: * **\**: This is the default option, which is always available. It means that any certificate on which the **Usage** selection matches the object type will be used. For example, if you are configuring a Gateway and have a certificate that has **Usage** set to "Gateway", it will be used. If a certificate has both Gateway and HALB usage options selected, it can also be used with the given gateway. This works the same way for HALB when you configure the LB SSL Payload. Please note that if you select this option for a Gateway or HALB, but no single matching certificate exists, you will see a warning and will have to create a certificate first. * Other items in the **Certificates** drop-down list are individual certificates, which will or will not be present depending on the certificate's **Usage** settings. For example, if you configure LB SSL Payload for HALB and have a certificate with the **Usage** option set to "HALB", the certificate will appear in the drop-down list. On the other hand, certificates with **Usage** set to "Gateway" will not be listed. As another example, if you need just one certificate, which you would like to use for all of your Gateways, you need to create a certificate and set the **Usage** option to "Gateways". You can then configure each Gateway to use this specific certificate, or you can keep the default **\** selection, in which case the certificate will be picked up by a Gateway automatically. ### **Gateways** To assign a certificate to a RAS Secure Gateway: 1. Navigate to **Farm** > **Site** > **Secure Gateways**. 2. Right-click a gateway and choose **Properties**. 3. Select the **SSL/TLS** tab. 4. In the **Certificates** drop-down list, select the certificate that you created. 5. Click **OK**. {% hint style="info" %} **Note**: You can also select the **\** option, which will use any certificate that either has the usage set to Gateway. {% endhint %} ### **HALB** To assign a certificate to a HALB, navigate to **Farm** > **Site** > **HALB**. Assuming that your HALB is enabled and configured, and the **LB SSL Payload** option is selected, follow the instructions below: 1. Click **Configure** next to the **LB SSL Payload** option. 2. A certificate must be used when the **Mode** option is set to **SSL Offloading**. Once again, assuming it is selected, continue to the next step. 3. Click **Configure**. 4. In the **SSL** dialog, select the certificate in the **Certificates** drop-down list. As with gateways, you can also select the **\** option, which will use any certificate that has the usage set to HALB or both HALB and Gateway. ### **Connection Broker API Server** This usage is only needed if access to Parallels RAS is needed via API to a Third-Party Connection Broker (more information [here](https://download.parallels.com/ras/v21/en_US/Parallels-RAS-Connecting-Using-Connection-Broker-API.pdf)). To assign this certificate type, navigate to **Farm** > **Site** > **Connection Brokers** and follow the instructions below: 1. Choose **Tasks** > **Site Defaults** (or choose the properties of an individual Connection Broker to assign to a specific Connection Broker) 2. Choose the **API** tab 3. Choose **Enable API** 4. Then select the certificate in the **Certificates** dropdown {% hint style="info" %} **Note**: Different Connection Brokers within the same site can have a different configuration or use a shared configuration at the site level (i.e., each Connection Broker can inherit the site's default). {% endhint %} ### **Connection Broker API data Encryption** This usage is only needed if access to Parallels RAS is needed via API to a Third-Party Connection Broker (more information [here](https://download.parallels.com/ras/v21/en_US/Parallels-RAS-Connecting-Using-Connection-Broker-API.pdf)), and a specific certificate is needed to encrypt traffic (if no certificate is selected for Third-Party Encryption, traffic will still be encrypted using the default site certificate). To assign this certificate type, navigate to **Farm** > **Site** > **Connection Brokers** and follow the instructions below: 1. Choose the **API** tab (this tab is only visible if the Enable API option is chosen from the “Third-Party API step above - 2. Then select the certificate in the **Encryption** **Certificate** dropdown It is important that Connection Brokers on the same site are set to use the **same** Encryption certificate. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.parallels.com/landing/ras-admin-guide/parallels-ras-21-administrators-guide/ssl-certificate-management/assigning-a-certificate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.