To prevent MITM (man-in-the-middle) attacks, when communicating with the orchestrator, the CPE device checks whether the orchestrator certificate can be trusted. By default, root certificates of public certificate authorities are installed on devices.
If your orchestrator is using a certificate signed by a public certificate authority, you do not need to install an additional certificate on the devices. Otherwise, you must add the public root certificate used by the orchestrator on the devices by uploading the certificate to the orchestrator web interface.
Regarding certificate management, consider the following: