https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249487#M70953 <P>You can't use seperate for passive firewall.</P><P>This part of the config is synced it means that same cert is used for both active and passive.</P><P>Wildcard is probably best way to go.</P> Fri, 08 Feb 2019 18:30:34 GMT Raido_Rattameister 2019-02-08T18:30:34Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249387#M70921 <P>&nbsp;</P><P>I have created CSR and exported that to our Server team as they <SPAN>would generate the cert based off of that.</SPAN></P><P>PA is in active passive mode.</P><P>&nbsp;</P><P>Do webgui cert of Active PA will syn with Passive PA?</P><P>Do I need to create separte CSR for the passive PA?</P><P>&nbsp;</P><P>We also have PA in Active Active mode.</P><P>Does A/P Webgui Cert process is same as Active Active PA?</P> Fri, 08 Feb 2019 03:47:27 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249387#M70921 MP18 2019-02-08T03:47:27Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249463#M70943 <P>Hello,</P><P>Yes you will need a new csr and cert as certificates are not shared during a commit or config sync.</P><P>&nbsp;</P><P>Regards,</P> Fri, 08 Feb 2019 15:48:58 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249463#M70943 OtakarKlier 2019-02-08T15:48:58Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249476#M70947 <P>Certificates are shared in HA config and also webgui cert config (Device &gt; Setup &gt; Management &gt; Authentication Settings).</P><P>So unless you use wildcard you will still get error when you log into one of them as both webgui's have their own DNS name.</P><P>&nbsp;</P><P>Most likely SAN cert that has DNS name of both webgui's on it will work aswell but I have not tested it.</P> Fri, 08 Feb 2019 16:50:32 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249476#M70947 Raido_Rattameister 2019-02-08T16:50:32Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249480#M70949 <P>Can you please explain about this in more&nbsp;</P><P>&nbsp;</P><P><FONT color="#FF6600"><SPAN>So unless you use wildcard you will still get error when you log into one of them as both webgui's have their own DNS name.</SPAN></FONT></P><P>&nbsp;</P><P><SPAN>Currently on active PA i used the common name as host name of the PA</SPAN></P> Fri, 08 Feb 2019 17:20:59 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249480#M70949 MP18 2019-02-08T17:20:59Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249481#M70950 <P>Well it does not matter that your firewalls are set into HA.</P><P>They both still have their own management IP (unless you manage it through network interface).</P><P>&nbsp;</P><P>Let's assume that:</P><P>PA1 mgmt IP is 10.0.0.11</P><P>PA1 mgmt interface DNS name PA1.corp.local that resolves to&nbsp;<SPAN>10.0.0.11</SPAN></P><P>&nbsp;</P><P>PA2 mgmt IP is 10.0.0.12</P><P><SPAN>PA2 mgmt interface DNS name PA2.corp.local&nbsp;that resolves to&nbsp;10.0.0.12</SPAN></P><P>&nbsp;</P><P><SPAN>Then you either need *.corp.local cert or SAN cert that has both&nbsp;PA1.corp.local and&nbsp;PA2.corp.local on it.</SPAN></P><P><SPAN>Management interface cert config is shared between firewalls.</SPAN></P> Fri, 08 Feb 2019 17:26:59 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249481#M70950 Raido_Rattameister 2019-02-08T17:26:59Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249484#M70951 <P>Yes i am using Web Gui cert for the Management interface of both firewalls.</P><P>So what I can do now is use this common name on both firewalls while generating the CSR ?</P><P>for example</P><P>&nbsp;</P><P>*.NGFW</P><P>&nbsp;</P><P>Then I do not need to create separate CSR for passive device right?</P> Fri, 08 Feb 2019 17:34:37 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249484#M70951 MP18 2019-02-08T17:34:37Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249487#M70953 <P>You can't use seperate for passive firewall.</P><P>This part of the config is synced it means that same cert is used for both active and passive.</P><P>Wildcard is probably best way to go.</P> Fri, 08 Feb 2019 18:30:34 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249487#M70953 Raido_Rattameister 2019-02-08T18:30:34Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249525#M70965 <P>Many Thanks Raido will give it a&nbsp; try.</P> Fri, 08 Feb 2019 22:36:40 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-and-active-active-pa-and-web-gui-cert/m-p/249525#M70965 MP18 2019-02-08T22:36:40Z