Communication between the WAF Administration Interface and the WAF appliance is done using HTTPS protocol.
Prior to the 6.5.1 version, the certificate was self-signed.
Since the 6.5.1 version, a unique PKI is created for each cluster. At the first connection or when applying (RSE installation), the Administration Interface will ask you to accept the certificate.
Once accepted, it will be put in the Administration Interface's Keystore and It will not be asked to accept it again (unless it has changed).
From the Administration Interface, in the Preferences menu, go to Keystore explorer to manage these certificates.
The synchronization to the Managed appliances will only happen if the certificates are valid.
If anything goes wrong while doing an apply, there will be a synchronisation error message. You will then have to go into the Global Settings, then Disable check ssl peer. This will temporary disable the SSL checks between Management and Managed and allow the apply which will synchronize the certificates between appliances.
Via the TUI, in the Appliance Management and User Management menu, more options about certificates are available.