Generating and importing a CA-signed SSL certificate for the application server - Documentation for TrueSight Network Automation 21.08

Network Automation does not support certificates with key size less than 2048-bits and an encryption algorithm weaker than SHA256WithRSA.

In versions earlier than 20.02, keystore is re-generated during upgrade in case it contains a weak application server-generated certificate (KEY_NUM_BITS is less than 2048 or CERTIFICATE_ALGORITHM is SHA1). However, if you have added other certificates (for example, any third-party certificates) to the keystore before upgrade, they are lost during regeneration.

Starting from 20.02, keystore is regenerated only if the certificate is weak and keystore does not contain any other certificates except the application server-generated one. As application server doesn't regenerate the keystore in cases where you have other certificates, we recommend that you evaluate your existing certificates for weak keysize and algorithm, and manually upgrade certificates if required.