Quickie question from my faded memory:
Does a newly-installed Device Certificate (and its port assignments) propagate automatically to the standby unit in a cluster as part of configuration updating, or must the Device Certificate be installed and assigned to the Virtual Ports separately for each clustered unit?
Our cluster is active/standby, and the certificate in question is for a virtual IVE.
Solved! Go to Solution.
the Certificate is associated to a Domain-Name. So the certificate will be switched over to the backup device if the primary one will fail and everything works quite fine. :-)
No, the certificate is not assigned to a domain name: in the IVE, the certificate is bound to a virtual port.
Juniper appears to have no documentation on this topic and my feelings about my attempt to obtain support are better left unwritten. The sometimes-cited KB article on this topic appears to have been revoked without replacement.
This indeed turns out to be what we saw at certificate installation this morning: the certificate was installed in the primary and automatically propagated (along with its virtual port assignment) to the passive/secondary node.