Knowledge Search


×
 

[ScreenOS] How Many Certificates Do I Need to Enable Both SSL Management and Use PKI VPN on My High Availability Pair?

  [KB6672] Show Article Properties


Summary:

How Many Certificates Do I Need to Enable Both SSL Management and Use PKI VPN on My High Availability Pair?

Symptoms:
  • SSL Management High Availability (HA) NSRP cluster Certificate Failover PKI VPN needs to enable SSL Management and use PKI VPN on my HA devices.

  • Need to securely manage both HA devices at the same time and use PKI VPN simultaneously.

  • Need to securely manage each HA device one at a time and use PKI VPN simultaneously.

Solution:

This article applies to NetScreen High Availability devices only.

The number of certificates required depends on whether VSYS is used. A CA certificate, and corresponding CRL is global, and therefore will be shared among each VSD and VSYS.

You will need one local certificate for each VSYS. If you do not have a multiple VSYS configuration, then only one local, one CA certificate, and one CRL is required for the cluster.

Once the certificate is loaded on the device, the certificate files will be synchronized to the backup device. Both devices will then have the same certificates. All subsequent configurations will be the same as if using a standalone firewall configuration.



Related Links: