- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-12-2015 05:45 AM
I am trying to assign a external cert to the webui so I don't get the warning message anymore? I imported my cert to the primary box and the setting did not fully synchronize to the passive box. I noticed there is an import and an import HA, do I have to use import HA to make it synch to both boxes?
05-12-2015 06:47 AM
Hi,
The import HA key function is related to the encryption of your HA trafic. Basically, you have to export the key from one firewall, and import it into the other one and vice-versa. You only need to do that if you enabled encryption in your HA settings (in Device -> High Availability). What is the current status of your HA on your dashboard? Does it say it's synchronized?
Benjamin
05-12-2015 06:51 AM
What we are trying to do is use our local CA to sign the cert the webui. So I generated a CSR, imported it into the active PA and then selected that it be applied to the webui. When I went to the passive side I could see the cert but the use on webui was not selected. Then the sync began to fail and then the cert disappeared and the only way I could bring them back into sync was to do it from the passive side.
05-12-2015 07:00 AM
I understand that you generated the certificate on the firewall but had it signed by your local root CA. That is what we did and it is working for us. Make sure you also import your local root CA so you have the whole chain in your configuration. I can't help you about your synchronization issue, though.
05-12-2015 07:04 AM
So did you import the cert to both the active and passive PA's. Did you have to export or import any of the private keys? What was your process. it appears the sync issues were related to the installation of the cert on the active node.
05-12-2015 07:04 AM
I ran into the same issue and what I found out is that the if you are running an Active/Passvice config you can only have one WEbUI cert per cluster. To get it so you don't have a a cert issue, issue the cert for the HA ip address and use that for your login. You are not able to have a cert per device but one for the cluster.
05-12-2015 07:06 AM
so I has to be assigned to the HA name and IP not the individual PA box name?
05-12-2015 07:12 AM
We did issue the cert for the HA name and the HA IP address and only imported it to the active node and that didn't work. Then we began to have synch issues and then the cert dissappeared
05-12-2015 07:12 AM
In my case, I generated a certificate for each firewall (I'm also in active-passive mode). The certificate for the web UI are not synchronized but the other certificates are. Maybe you synchronized the firewall before selecting the "Certificate for Secure Web GUI" option?
Benjamin
05-12-2015 07:16 AM
I don't know but it didn't work till I selected certificate for secure web gui on the passive node and then it went out of sync and the only way to sync it was from the passive side which wiped out the changes on the active side to make them alike
05-12-2015 07:19 AM
So did you create a separate csr for each node and import them? Did the cert from the active side also sync to the passive side and did you end up have two on each box? Did you have to swap any private keys?
05-12-2015 07:44 AM
I ended up making the PA a Sub-CA since I was going to be doing decryption, but you should be able to do a CSR from the active get the cert. Click on the cert and set it as the webui cert and commit. Once you do that it should sync over, but when you do this you will still get an error every time you connect to each system individual and no error when you connect to the cluster address.
05-12-2015 07:46 AM
I generated a certificate on active firewall, exported the CSR had it signed, then imported our local root CA and the signed certificate, and finally committed the changes. I then did the same on the passive firewall. I didn't see the web UI certificate of the active firewall in the passive one (and vice-versa).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!