topic Re: Webui cert for HA PA's in General Topics

Webui cert for HA PA's

jdprovine — Tue, 12 May 2015 12:45:46 GMT

I am trying to assign a external cert to the webui so I don't get the warning message anymore? I imported my cert to the primary box and the setting did not fully synchronize to the passive box. I noticed there is an import and an import HA, do I have to use import HA to make it synch to both boxes?

Re: Webui cert for HA PA's

BenjAudy.MTL — Tue, 12 May 2015 13:47:10 GMT

Hi,

The import HA key function is related to the encryption of your HA trafic. Basically, you have to export the key from one firewall, and import it into the other one and vice-versa. You only need to do that if you enabled encryption in your HA settings (in Device -> High Availability). What is the current status of your HA on your dashboard? Does it say it's synchronized?

Benjamin

Re: Webui cert for HA PA's

jdprovine — Tue, 12 May 2015 13:51:06 GMT

What we are trying to do is use our local CA to sign the cert the webui. So I generated a CSR, imported it into the active PA and then selected that it be applied to the webui. When I went to the passive side I could see the cert but the use on webui was not selected. Then the sync began to fail and then the cert disappeared and the only way I could bring them back into sync was to do it from the passive side.

Re: Webui cert for HA PA's

BenjAudy.MTL — Tue, 12 May 2015 14:00:58 GMT

I understand that you generated the certificate on the firewall but had it signed by your local root CA. That is what we did and it is working for us. Make sure you also import your local root CA so you have the whole chain in your configuration. I can't help you about your synchronization issue, though.

Re: Webui cert for HA PA's

jdprovine — Tue, 12 May 2015 14:04:15 GMT

So did you import the cert to both the active and passive PA's. Did you have to export or import any of the private keys? What was your process. it appears the sync issues were related to the installation of the cert on the active node.

Re: Webui cert for HA PA's

murphyj — Tue, 12 May 2015 14:04:24 GMT

I ran into the same issue and what I found out is that the if you are running an Active/Passvice config you can only have one WEbUI cert per cluster. To get it so you don't have a a cert issue, issue the cert for the HA ip address and use that for your login. You are not able to have a cert per device but one for the cluster.

Re: Webui cert for HA PA's

jdprovine — Tue, 12 May 2015 14:06:47 GMT

so I has to be assigned to the HA name and IP not the individual PA box name?

Re: Webui cert for HA PA's

jdprovine — Tue, 12 May 2015 14:12:22 GMT

We did issue the cert for the HA name and the HA IP address and only imported it to the active node and that didn't work. Then we began to have synch issues and then the cert dissappeared

Re: Webui cert for HA PA's

BenjAudy.MTL — Tue, 12 May 2015 14:12:26 GMT

In my case, I generated a certificate for each firewall (I'm also in active-passive mode). The certificate for the web UI are not synchronized but the other certificates are. Maybe you synchronized the firewall before selecting the "Certificate for Secure Web GUI" option?

Benjamin

Re: Webui cert for HA PA's

jdprovine — Tue, 12 May 2015 14:16:52 GMT

I don't know but it didn't work till I selected certificate for secure web gui on the passive node and then it went out of sync and the only way to sync it was from the passive side which wiped out the changes on the active side to make them alike

Re: Webui cert for HA PA's

jdprovine — Tue, 12 May 2015 14:19:32 GMT

So did you create a separate csr for each node and import them? Did the cert from the active side also sync to the passive side and did you end up have two on each box? Did you have to swap any private keys?

Re: Webui cert for HA PA's

murphyj — Tue, 12 May 2015 14:44:02 GMT

I ended up making the PA a Sub-CA since I was going to be doing decryption, but you should be able to do a CSR from the active get the cert. Click on the cert and set it as the webui cert and commit. Once you do that it should sync over, but when you do this you will still get an error every time you connect to each system individual and no error when you connect to the cluster address.

Re: Webui cert for HA PA's

BenjAudy.MTL — Tue, 12 May 2015 14:46:22 GMT

I generated a certificate on active firewall, exported the CSR had it signed, then imported our local root CA and the signed certificate, and finally committed the changes. I then did the same on the passive firewall. I didn't see the web UI certificate of the active firewall in the passive one (and vice-versa).