TLS (Transport Layer Security), which replaced SSL, is enabled and configured with a self-signed certificate when GitHub Enterprise is started for the first time. As self-signed certificates are not trusted by web browsers and Git clients, these clients will report certificate warnings until you disable TLS or upload a certificate signed by a trusted authority.

To allow users to use FIDO U2F authentication, you must enable TLS for your instance.

To use TLS in production, you must have a certificate in an unencrypted PEM format signed by a trusted certificate authority. Your certificate will also need Subject Alternative Names (SANs) configured for the subdomains listed above and will need to include the full certificate chain if it has been signed by an intermediate certificate authority.

The GitHub Enterprise appliance will send HTTP Strict Transport Security (HSTS) headers when SSL is enabled. Disabling TLS will cause users to lose access to the appliance, because their browsers will not allow a protocol downgrade to HTTP.

Warning: Terminating TLS at a load balancer is not supported. When using TLS (which is recommended), HTTPS traffic must be forwarded directly to the appliance without modification.

For more information on setting up TLS, see "Configuring TLS."