Workaround for Certificate Warning when Accessing the GUI via HTTPS

Printer Friendly Page

Issue

When accessing the GUI via HTTPS, the browser will verify the certificate presented by the firewall. Because the firewall uses a self-signed certificate by default, this causes the browser to warn about the certificate's validity.

 

Resolution

To prevent this from happening:

  • Create a Root certificate and later a server certificate which is signed by the root certificate. Root certificate should be used as Trusted Root CA and Server certificate should be used as Certificate for secure Web GUI.

cert 4.png

 

  • Server certificate host name is the firewall management IP address or DNS name, which is used as the URL in the browser. This is verified by the browser in the certificate. Leave the host name blank if the Common Name field has the firewall management IP address.

cert 7.png

 

  • Import the root certificate in the browser in the trusted root certificate folder and the server certificate in the Personal certificates folder.

  • Access the firewall WebGUI--there should be no certificate warning.

cert 3.png

  • The certificate details show it was signed by a now trusted certificate authority.

cert 6.PNG

 

owner: ssunku

Comments

 Great but how do you manage a Secure WEB GUI certificate (with external PKI) when you have a cluster of two nodes with two different names?

The configuration is replicated so when you create a request on one node the request is synchronised on the second node.

The GUI Certificate is shared by the two nodes so you have always one access in error because the name does not match.

 

@sylvain.cassan If both WebGUI Certificates are signed by the same Root CA, you should be able to import the CA cert into your store (if it's not already) and that should mitigate the cert warning.

@sylvain.cassan Not all objects are sync'd with HA synchronization. Check this link out to see more info.

@chmotley the certificate is synchronized with the peer member.

 

What is the workaround to resolve this issue ? 

 

Thank you for your help

 

MehdiCapture.PNG

 

@sylvain.cassan - The certs may be sync'd, but is the setting for "Certificate for Secure Web GUI" mirrored on both devices? I don't believe it is.. 

3540_cert 4.png

You would want to set a different cert per-device, since their management IPs are different from each other.

@chmotley - 

we checked the option « Certificate for Secure Web GUI », but the certificate is synced with the peer member. What is the solution to avoid Certificate Warning when Accessing the GUI via HTTPS.

We tried to set a different certificate per-device, since their management IPs are different from each other. But the cert on active member is synced with the passive member.

Thank you for your help.

Could you provide screenshots of the two devices' certificates page? Either that, or open up a TAC case.

We opened a TAC Case and it is now solved. There is a specific order and some commit to do between the installation of the certificates to have all working well.

Thanks.