Webui cert for HA PA's

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Webui cert for HA PA's

L4 Transporter

I am trying to assign a external cert to the webui so I don't get the warning message anymore? I imported my cert to the primary box and the setting did not fully synchronize to the passive box. I noticed there is an import and an import HA, do I have to use import HA to make it synch to both boxes?

12 REPLIES 12

L4 Transporter

Hi,

The import HA key function is related to the encryption of your HA trafic. Basically, you have to export the key from one firewall, and import it into the other one and vice-versa. You only need to do that if you enabled encryption in your HA settings (in Device -> High Availability). What is the current status of your HA on your dashboard? Does it say it's synchronized?

Benjamin

What we are trying to do is use our local CA to sign the cert the webui. So I generated a CSR, imported it into the active PA and then selected that it be applied to the webui. When I went to the passive side I could see the cert but the use on webui was not selected. Then the sync began to fail and then the cert disappeared and the only way I could bring them back into sync was to do it from the passive side.

I understand that you generated the certificate on the firewall but had it signed by your local root CA. That is what we did and it is working for us. Make sure you also import your local root CA so you have the whole chain in your configuration. I can't help you about your synchronization issue, though.

So did you import the cert to both the active and passive PA's. Did you have to export or import any of the private keys? What was your process. it appears the sync issues were related to the installation of the cert on the active node.

L2 Linker

I ran into the same issue and what I found out is that the if you are running an Active/Passvice config you can only have one WEbUI cert per cluster. To get it so you don't have a a cert issue, issue the cert for the HA ip address and use that for your login. You are not able to have a cert per device but one for the cluster.

so I has to be assigned to the HA name and IP  not the individual PA box name?

We did issue the cert for the HA name and the HA IP address and only imported it to the active node and that didn't work. Then we began to have synch issues and then the cert dissappeared

L4 Transporter

In my case, I generated a certificate for each firewall (I'm also in active-passive mode). The certificate for the web UI are not synchronized but the other certificates are. Maybe you synchronized the firewall before selecting the "Certificate for Secure Web GUI" option?

Benjamin

I don't know but it didn't work till I selected certificate for secure web gui on the passive node and then it went out of sync and the only way to sync it was from the passive side which wiped out the changes on the active side to make them alike

So did you create a separate csr for each node and import them? Did the cert from the active side also sync to the passive side and did you end up have two on each box? Did you have to swap any private keys?

I ended up making the PA a Sub-CA since I was going to be doing decryption, but you should be able to do a CSR from the active get the cert. Click on the cert and set it as the webui cert and commit. Once you do that it should sync over, but when you do this you will still get an error every time you connect to each system individual and no error when you connect to the cluster address.

I generated a certificate on active firewall, exported the CSR had it signed, then imported our local root CA and the signed certificate, and finally committed the changes. I then did the same on the passive firewall. I didn't see the web UI certificate of the active firewall in the passive one (and vice-versa).

  • 4964 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!