The SSL Certificate is showing unsecure in one device

Reply
Highlighted
Cyber Elite

Sorry, my bad. You will need one cert per device.

Highlighted
L0 Member

@OtakarKlier yea , but while generating CSR what should i added in Common name ? 

 

should i generate CSR from both the Firewall or i can generate two CSR from Primary Firwewall added different Common name ?

Highlighted
Cyber Elite

csr for each...

Highlighted
L3 Networker

@Jal_963,

 

In principle:

  • you can generate CSRs from the Active Node in HA, Passive Node in HA, or from both - does not matter because they are synced, just have to time and queue the Commits right;
  • you can generate CSRs using external tool, I like working with XCA (https://hohnstaedt.de/xca/), and import them into PA after signing;
  • you can specify Common Name and Subject Alternative Name to whatever you want, however using the hostname/FQDN makes most sense most of the time as those correspond to the WebUI URL; best practice is to have both Common Name and Subject Alternative Name with equal values;
  • you possibly could use one certificate for WebUI of both HA nodes, however it would require some trickery;
  • Certificates and SSL/TLS Service Profiles are synced in HA as long as they are not used for WebUI.

More to the point, workflow could be:

  • Login into Active Node;
  • prepare two CSRs with CN/SAN corresponding to the WebUI URLs on Active Node;
  • import signed by external CA certificates into Active Node;
  • Commit on Active Node;
  • create two SSL/TLS Service Profiles, one for each certificate;
  • use one of the SSL/TLS Service Profiles as WebUI SSL/TLS Service Profile on Active Node;
  • Commit on Active Node;
  • Login into Passive Node;
  • use one of the SSL/TLS Service Profiles as WebUI SSL/TLS Service Profile on Passive Node;
  • Commit on Passive Node;

It is possible to perform it a bit quicker, but longer way is simpler.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!