Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How are certificates loaded in the NSRP cluster?



Article ID: KB24538 KB Last Updated: 04 Jun 2012Version: 1.0
This article provides information on how certificates are loaded in the NSRP cluster. The certificate and private/public key pairs are part of Run time objects.
Are two local certificates required for a pair of devices in HA?

 When the certificate is loaded on the primary, it automatically gets synced with the backup. In NSRP, you do not have to use a certificate per device; you can use one
certificate for both devices. The private key is copied from the active to the backup unit of a HA (high availability) or NSRP pair as a RTO (run-time object), via the HA control link. To do this, you have to name the cluster by using the set nsrpcluster name <name> command.

The cluster name will be used as the hostname for FQDN in the certificate. So, once you create the cluster name and generate the cert request (PKCS10) file on one ScreenOS device, It will create RSA key pairs and copy them to both the ScreenOS devices. The FQDN will be the NSRP cluster name combined with the domain name.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search