Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

LTM HA Pair SSL Certs

John_Van_Zant
Altostratus
Altostratus

Hi all,

I have an LTM HA pair and I have been renewing the client certs on each when the certs are expiring.  My question is do I need to do this to each of the pair?  I have been renewing and getting a csr on lb1 and then doing the same on lb2.  Am I doing twice the work.  I was wondering if I did it on lb1 and then used configsync to copy it over.  It would save me some time and work in my enterprise.

2 ACCEPTED SOLUTIONS

CA_Valli
Cumulonimbus
Cumulonimbus

Hello, client certificate repository is syncronized in a HA cluster so if you need to renew client certificate you can just do it on one unit and then perform config sync. Usually, import new key first and then import new certificate. If you're creating a new object, you will also need to modify clientSSL profiles and refer the new certificate/key pair and eventually new trust chain as well. 

View solution in original post

Hello,

Sorry, I though he was asking about the device certificate itself. For the client ceritificate for any service, it can be synced betwen the HA pair as CA_Valli mentioned.

View solution in original post

4 REPLIES 4

Mohamed_Salah_
Cirrostratus
Cirrostratus

Hello,

I think you should renew the certificate on each appliance as they are expiring. Also, each device certificate is linked with the device hostname so i think each certificate should be renewed.

Then, you can sync the datasync-global-dg and device_trust_group.

BR,

MSalah

 

CA_Valli
Cumulonimbus
Cumulonimbus

Hello, client certificate repository is syncronized in a HA cluster so if you need to renew client certificate you can just do it on one unit and then perform config sync. Usually, import new key first and then import new certificate. If you're creating a new object, you will also need to modify clientSSL profiles and refer the new certificate/key pair and eventually new trust chain as well. 

Hello,

Sorry, I though he was asking about the device certificate itself. For the client ceritificate for any service, it can be synced betwen the HA pair as CA_Valli mentioned.

John_Van_Zant
Altostratus
Altostratus

Thank you both for you comments.  I renewed certs on both and noticed (for the first time) that the csr's were identical, but your comments have cemented the idea.  Thank you again.