System - WAF Certificate Synchronization
- Last Updated: May 22, 2026
- 3 minute read
- MOVEit Transfer
- Version 2026
- Version 2025
- Documentation
- MOVEit Organizations ("orgs") with dedicated endpoints.
- High Availability environments (Web Farms).
- The regular frequency and cadence of TLS/SSL certificate updates.
Task 1: Enable the MOVEit WAF REST API
(You need sign-on credentials to the WAF for this.)
Go to MOVEit WAF and enable the REST API. MOVEit WAF needs the REST API enabled in order to communicate with MOVEit Transfer.
- Send the WAF a control command. For
example:
/access/set?param=enableapi&value=1
- Enable the API through the Remote Access tab of the WAF UI.
Task 2: Register MOVEit Transfer with MOVEit WAF (done at WAF)
Before you begin, you will need to register your MOVEit Transfer application with the MOVEit WAF in order to get values for MOVEit WAF Endpoint and MOVEit WAF API Key.
- Sign on to MOVEit WAF.
- From MOVEit WAF Administrator Interface, create a MOVEit WAF user that is
dedicated to the connection with MOVEit Transfer and has Certificate
Creation permission. (If you already have a dedicated user created
at MOVEit WAF, skip this step.)
From the MOVEit WAF web interface: System Configuration -> System Administration -> User Management. The MOVEit WAF user needs Certificate Creation.
- Copy the application key from the MOVEit WAF user's permission page. (This will be used for MOVEit WAF API Key) .
Task 3: Configure and Save Auto-sync Connection (at MOVEit Transfer)
To configure the MOVEit Transfer WebUI/API endpoint for auto sync with MOVEit WAF, you need the following fields completed:
- MOVEit WAF Endpoint. This is the value that the MOVEit WAF receives HTTP/S traffic over.
- MOVEit WAF API Key. This is the key added at MOVEit WAF for the MOVEit
WAF service user created for MOVEit Transfer.Note: For each org with the Auto-sync feature enabled, you will need at least a temporary certificate uploaded. Certificate Identifiers must match the organization ID (orgID).
- Sign-on to the MOVEit Transfer WebUI and open SETTINGS > System >
WAF - Certificate Synchronization.
The Settings (System) view displays.
Figure 1. System Admin Setting for Org WAF Certificate Autosync 
- Type in values for MOVEit WAF Endpoint and MOVEit WAF API Key that you saved from the previous task.
- Click Save.
Task 4: Test the Connection and Enable the Certificate Auto Sync
Once you have filled in the MOVEit WAF Endpoint and MOVEit WAF API Key fields, do the following:
- Click the Test Connection button to ensure you have the expected end-to-end connection to synchronize the SSL/TLS certificate with MOVEit WAF.
- As an optional last step, you can choose Enabled for the
Automatically upload approved certificates... drop-down list.
Otherwise, SSL/TLS certificates successfully uploaded by MOVEit Transfer Org
admins will not be automatically synchronized with the WAF (sysadmins will
need to synchronize these certificates one by one, manually, each time an
Org admin successfully uploads a new certificate).Note: For more information, see the section titled Managing Automatic Certificate Sync Behavior.
Managing Automatic Certificate Sync Behavior
The following table outlines behavior for the Automatically Upload Approved Certificates... drop-down selector.
| Upload Cert Selection | Description |
|---|---|
|
Turned Off |
Initial state. |
| Enabled | Allows org admins to upload SSL cert for their org to be synchronized with the Web Application Firewall (WAF) |
|
Disabled |
Successful upload of SSL cert for the org will not be synchronized automatically with the WAF. |