SSL certificate for passive firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL certificate for passive firewall

L1 Bithead

There is an active passive pair having SSL certificate (management only) with different CNAMES (its own management IP).

 

While the CSR generation and certificate import (signed by ECA) is successful on active peer, the CSR generated on passive peer is getting erased whenever commit is done from active peer.

 

How to generate CSR and install SSL certificate on passive peer?

1 accepted solution

Accepted Solutions

If you use the process that @aleksandar.astardzhiev outlines for exporting the cert + key from the active and import to the passive, you don't need a CSR. The CSR isn't required if you're importing the cert and key. If you already have the desired names on the cert on the active, this is probably the easiest.

Or you can do the same process on the passive, generate a CSR and then import the certificate. Either way, you'll need to bind the cert to the necessary profile and commit on the passive. 

 

I'm pretty sure I did this the last time I had to update the management interface certs on A/P:

Create a CSR on active that has all the names you need. I usually do FQDN and short name of both FWs and the IP address of both firewalls. (IPs aren't available if using a public authority)

Import the cert back to the active but don't bind it to anything.

Commit, which I think will sync the cert to the passive since it's not bound to something in the list of items that don't sync.

If it's copied to the passive, then you can bind it to the profile you want to use on the management interface.

Bind the cert to the profile on the active as well.

 

View solution in original post

6 REPLIES 6

Hi @nareshpratap ,

I would suggest you to create one CSR from the primary firewall, but use Subject Alternative Name (SAN) and list both (for primary and secondary member) FQDNs in the request. This way you will use only one certificate and it will be valid for both cluster members.

L1 Bithead

Noted. Once the CSR is generated with Common name of active and SAN (hostname of passive) in the active peer and certificate is signed, how to export/install it in passive peer?

Will the CSR generated and certificate installed in active peer get pushed to passive peer when we commit?

 

L1 Bithead

Also, I have the active peer already installed with proper certificate. The requirement is only to install in passive peer.

 

Can I generate a CSR in active peer with common name (IP) of passive peer , get it signed & installed in active peer and then manually exported along with private key to passive peer?

Hey @nareshpratap ,

Apologies, apparently I got confused and the certificates are not actually part of synchronized config between members.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/reference-ha-synchroniza...

You can still use my approach to use one certificate with SAN, this way at least you need to manage only one certificate. But once the CSR is completed on the active member, you actually need to export the cert+key and import them to the secondary member.

 

Or you can proceed with your approach and have separate certificate for each member and create separate CSRs for both.

 

The key in both scenarios is mentioned as note in the link above - you need to use exactly the same name for the certificate on both members. (not the CN of the cert, but the name that palo alto use for this certificate in the config).

 

 

Noted.

 

But in either approach do I have to generate CSR for the passive firewall (passive firewall CNAME) in active firewall?

 

Because if I generate CSR in passive firewall and commit changes (any changes) from active firewall, the pending CSR in passive firewall vanishes.

 

Is it like one is not supposed to generate CSRs in passive firewalls at all?

If you use the process that @aleksandar.astardzhiev outlines for exporting the cert + key from the active and import to the passive, you don't need a CSR. The CSR isn't required if you're importing the cert and key. If you already have the desired names on the cert on the active, this is probably the easiest.

Or you can do the same process on the passive, generate a CSR and then import the certificate. Either way, you'll need to bind the cert to the necessary profile and commit on the passive. 

 

I'm pretty sure I did this the last time I had to update the management interface certs on A/P:

Create a CSR on active that has all the names you need. I usually do FQDN and short name of both FWs and the IP address of both firewalls. (IPs aren't available if using a public authority)

Import the cert back to the active but don't bind it to anything.

Commit, which I think will sync the cert to the passive since it's not bound to something in the list of items that don't sync.

If it's copied to the passive, then you can bind it to the profile you want to use on the management interface.

Bind the cert to the profile on the active as well.

 

  • 1 accepted solution
  • 4861 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!