ATS ADOS applications can be configured to use TLS and therefore requires a certificate. A self-signed certificate will work but it is recommended to use a production grade certificate.
Create certificates for ATS ADOS applications (recommended)
Follow the steps below to create a certificate for the ADOS web API’s that require HTTPS and is the recommended approach. Self-signed certificates should not be used for ADOS web API’s.
Open the certificate manager for the local computer using the following command: certlm.msc
Right click on the Personal folder and select All Tasks > Request New Certificate.
Click Next.
Select the Active Directory Enrollment Policy and press Next.
#
Request a certificate of a specific type that is required for the web API and click Enroll.
Review the certificate and press Finish.
The certificate uses a FQDN in the Subject Alternative Name and therefore the ADOS web API’s (Security Manager, Configuration Manager, License Manager, Bus services, Inspect services, CM4D services) should configure the FQDN everywhere the hostname is required. Clients should then invoke the services using the FQDN otherwise the server responds with HTTP Bad Request.
There may be multiple certificates in the personal store with the same ‘Issue to’ property. This causes an issue when the certificate that has the ‘Server authentication’ set expires earlier than the certificate that does not have that intended purpose set. The ADOS web API’s select the certificate by its subject CN and the longest validity. It does not check the intended purpose.
It is recommended to check if the subject common name can be changed in the certificate type selection window as indicated below:
Configure self-signed certificate (not recommended)
The ATS Security Manager installers do not provide and install a self-signed certificate. However, a temporary certificate can be created after ATS Security Manager and ATS Configuration Manager is installed.
A temporary certificate can be created using the following PowerShell command:
New-SelfSignedCertificate -DnsName <FQDN>, <Hostname> -CertStoreLocation “cert:\LocalMachine\My” -NotAfter “2030-01-01” -Subject "CN=AtsSecuritySelfSignedCert"
Replace the following:
- <FQDN> is a string holding the computer name including the domain name
- <Hostname> is a string holding the computer name without domain name
This will create a certificate with the common name AtsSecuitySelfSignedCert in the Local Computer certificate store at the Personal location. Please copy this certificate to the Trusted Root Authority to ensure that the chain is trusted.
For further information on working with certifcates, please refer to the official documentation. 
For additional documentation regarding configuration on Kestrel please refer to the official documentation.