So it seems you are running Active/Passive cluster ?

What kind of clients you have in your network ? L2 or L3 connections ? Which Port on the IC these clients are connecting to? You can bind the Certificate that are trusted by these clients based on the Interface, you can use different certificates for users who sign in using different virtual ports as well

Keep in mind, that the IC Series device also uses a device certificate for communications with the ScreenOS Enforcer and the Junos Enforcer

Hi ,
Please find the answers for each questions:
1)Should cluster members each have their own certificate, or should there be a single cluster certificate?

As per you statement, I also suspect that you are using Active/passive cluster setup. You can refer the below KB's for
How many certificates do I need for Active/Passive clustered ICs. The below KB's are applicable for IC device as well.

KB2430: How many certificates do I need for Active/Passive clustered IVEs?

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB2430

KB16729 : How many certificates do I need for Active/Active clustered IVEs?
http://kb.pulsesecure.net/InfoCenter/indexpage=content&id=KB16729&actp=search&viewlocale=en_US&searc...

2) Replacing (not just Renewing) an expired cert on the 'enabled', I'm unable to break the port association with the expired cert because the 'Cluster internal VIP' seen to be associated with it on the Configuration Certificates page isn't visible when I go into the Certificate Details page. Is there another location I should look?

To resolve this, folloow the below steps

1. first upload the new certificate to the device
2. Unmap the cluster VIP to the expired certificate
3. After this, map the cluster VIP to the valid new certificate uploaded.

3) I will soon need to change domain names on the cert(s). Since they expire at different times, will they both - if two are recommended - need to be changed simultaneously?
As per KB2430 once certificate is what you need so changing one should be fine and you can unmap the other certficate.

Hope this clariifes your queries.

NOTE: Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan

Hi,

Thank you both for your responses.

I just verified my cluster status, and it does show active/active. What was it that seemed otherwise? I wasn't sure if there was any difference for the IC vs IVE use of certificates, thanks. I am using these IC's with L3 ScreenOS enforcers. Only the internal interface is active on both cluster members.

I understand the intent in re-mapping the certificates, however the difficulty is that the interface is not visibly available to unmap on the expired cert. Please see the attached.

Since this is actually an active/active, the document you referred to was unavailable for certificate needs. What does it recommend, please?

thank you!

Here is the link to the KB for Active/Active Clusters

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB16729

Thanks

Thank you! That answers my question.

I appreciate everyone's assistance with this, thanks.

Hi ,

I am glad that  your queries are resolved successfully, can you  mark this post as 'accepted solution' that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan