topic Re: Certificate replication through nodes. in Network Access Control

Certificate replication through nodes.

ecanogut — Fri, 21 Feb 2020 18:43:34 GMT

Hello,

I have a customer who is planning to upload a new certificate (the current one is about expiring). I was able to import it successfully on the PAN without get the services restarted. I've seen if we enable the services the cert is used by (EAP, Admin, Portal) on the primary PAN, this will get restarted and the subsecuences nodes will be restarting too, my question is: ¿If I enable the services on one PSN at time instead of PAN, will the subsequences PSNs will be restarted too?

Thank you very much.

Re: Certificate replication through nodes.

Rob Ingram — Mon, 15 Jan 2018 18:46:40 GMT

Hi,

Only replacing the Admin certificate would result in the services being restarted on the node the certificate is being replaced on. Any other cert (EAP, Portal, pxgrid) would not result in the services being restarted.

HTH

Re: Certificate replication through nodes.

ecanogut — Mon, 15 Jan 2018 18:58:26 GMT

@Rob Ingram Thank you for the quick response,

I have a lab deployment (1 PAN and 2 PSN) where I replaced the certificate on PAN and enabled the services (EAP,Admin, Portal). I see the PAN get restarted and after some minutes both PSN too. Customer has about 10 Nodes and they don't want to get all the nodes restarted, that's why im wondering if I only upload the new cert on PAN, it won't activate a service restart of the nodes.

Re: Certificate replication through nodes.

Rob Ingram — Mon, 15 Jan 2018 19:04:22 GMT

Hi, If you've replaced the PAN's admin certificate it should not reboot again. In a distributed cluster you have to upload the certificate for all other nodes from the webgui of the PAN anyway, you just need to ensure you only select the correct PSN to replace the admin certificate, then only that PSN's services will restart not any other PSN.

Make sense?

HTH

Re: Certificate replication through nodes.

ecanogut — Mon, 15 Jan 2018 19:15:34 GMT

@Rob Ingram that makes sense 100%, how can I select the correct PSN to replace the admin certificate? Is it under Administration->Deployment Tab?

Re: Certificate replication through nodes.

Rob Ingram — Mon, 15 Jan 2018 19:22:49 GMT

Assuming the PSN nodes are registered to the cluster, to import any certificate for a node in a cluster you'd go to:-

Administration > System > Certificates

From there you can generate CSR's, select which type of certificate and which node the CSR is being generated for and then once the certificate is signed you can bind the signed certificates.

Re: Certificate replication through nodes.

ecanogut — Mon, 15 Jan 2018 20:09:38 GMT

Thank you very much @Rob Ingram,

Will try this option in Lab.

Regards.