Webui cert for HA PA's

Reply
jdprovine
L4 Transporter

Webui cert for HA PA's

I am trying to assign a external cert to the webui so I don't get the warning message anymore? I imported my cert to the primary box and the setting did not fully synchronize to the passive box. I noticed there is an import and an import HA, do I have to use import HA to make it synch to both boxes?

BenjAudy.MTL
L4 Transporter

Hi,

The import HA key function is related to the encryption of your HA trafic. Basically, you have to export the key from one firewall, and import it into the other one and vice-versa. You only need to do that if you enabled encryption in your HA settings (in Device -> High Availability). What is the current status of your HA on your dashboard? Does it say it's synchronized?

Benjamin

jdprovine
L4 Transporter

What we are trying to do is use our local CA to sign the cert the webui. So I generated a CSR, imported it into the active PA and then selected that it be applied to the webui. When I went to the passive side I could see the cert but the use on webui was not selected. Then the sync began to fail and then the cert disappeared and the only way I could bring them back into sync was to do it from the passive side.

BenjAudy.MTL
L4 Transporter

I understand that you generated the certificate on the firewall but had it signed by your local root CA. That is what we did and it is working for us. Make sure you also import your local root CA so you have the whole chain in your configuration. I can't help you about your synchronization issue, though.

jdprovine
L4 Transporter

So did you import the cert to both the active and passive PA's. Did you have to export or import any of the private keys? What was your process. it appears the sync issues were related to the installation of the cert on the active node.

murphyj
L2 Linker

I ran into the same issue and what I found out is that the if you are running an Active/Passvice config you can only have one WEbUI cert per cluster. To get it so you don't have a a cert issue, issue the cert for the HA ip address and use that for your login. You are not able to have a cert per device but one for the cluster.

jdprovine
L4 Transporter

so I has to be assigned to the HA name and IP  not the individual PA box name?

jdprovine
L4 Transporter

We did issue the cert for the HA name and the HA IP address and only imported it to the active node and that didn't work. Then we began to have synch issues and then the cert dissappeared

BenjAudy.MTL
L4 Transporter

In my case, I generated a certificate for each firewall (I'm also in active-passive mode). The certificate for the web UI are not synchronized but the other certificates are. Maybe you synchronized the firewall before selecting the "Certificate for Secure Web GUI" option?

Benjamin

jdprovine
L4 Transporter

I don't know but it didn't work till I selected certificate for secure web gui on the passive node and then it went out of sync and the only way to sync it was from the passive side which wiped out the changes on the active side to make them alike

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!