I have two separate SA6500 active/active clusters, and need to apply the same certificate to both. We know this works because we currently use a single certificate on both. I believe that we were in a single cluster configuration when this was first set up so it was automatically propagated. I have installed a new 2048-bit cert on one cluster and it works fine, how ever I can't figure out how to apply it to the 2nd cluster. If I do another CSR, it of course does not match the cert and fails the import. If anyone can help with this it would be greatly appreciated.
You need to import the certificate and key.
If you created your cert on the first SA using a CSR then you will not be able to see your key and I do not believe that there is a way to recover it.
You'll need a unix system with openSSL to generate a new key and CSR that you can import into both SAs.
JNCIS-FWV JNCIS-SSL JNCIS-ER JNCIS-SEC
Thanks Sam. I'm looking into getting the CSR and key generated per your recommendation. Do I need to install the cert on the Unix box and then export it with the private key, or just import the new cert with a separate private key file?
Open SSL will output 2 files, the CSR and the KEY.
Keep the key safe, send the CSR to your Certificate Authority.
Your CA will send you the completed certificate back.
Import the certificate, and the key that you kept safe into both SAs (they will be two seperate files) and voila.
No need to install anything onto your linux server, it just creates the key and CSR.
Save the system.cfg from the node with the 2048-bit certificate; import this into the other cluster node through the certificate import interface.
Please note: if using FIPS, you need to do this through the system.cfg import interface and choose the options for importing the certificate and security world through the GUI. Once that completes, you will need to complete the installation through the console (with all your passwords and miscellany requirements of using FIPS).
*Face Palm moment*
I don't know why I didn't think of that!
Thanks to everyone for their responses.
What I ended up doing was using the Import/Export function under Maintenance and selecting Import Device Certificates and Import __Only Device Certificates on the 2nd cluster to copy just the certificates from the config file of the first cluster. This worked perfectly and both clusters are now using the new single device certificate in production.
Thanks .. Dan
Glad to hear it worked successfully for you