01-31-2017 01:18 AM - edited 03-11-2019 12:24 AM
Hi,
I was using an internal ca for certificates .Unfortunately it is crahed and cannot recoverable .
Using EAP and web authntication ( for guest portal)
Need to add the certificate from the new CA .
Do I need to break the cluster first ?
Or what is the procedure
if yes how
Thanks
01-31-2017 05:15 AM
No need to break the deployment to add the new certificate. You can follow the steps below:
1) Generate CSR on all nodes and send to CA. IF you are using a wildcard, generate CSR on one node and send it to CA.
2) Obtain the issued cert and install it on all nodes. Do NOT replace the old cert yet.
3) Import the new CA certificate in the Trusted store on the primary node in deployment alone.
4) Change the system cert to new cert on all other nodes. This will force a restart of the services. Wait till they come back up successfully in the deployment.
5) Change the system cert of primary node. This will also cause restart of services. Once it comes back all nodes in your deployment should have new cert.
01-31-2017 08:21 AM
Hi,
Now the certificate hierarchy has changed
Root , subordinate CA ,then certificate
ROOT-CA
INTERNAL-CA
certificate
Before there was only rootca (microsoft ).
How to accomodate this change
Thanks
01-31-2017 08:28 AM
Install both Root and subordinate CA certs into the Trusted cert store. Nothing else should change.
02-02-2017 03:20 AM
Hi,
" 1) Generate CSR on all nodes and send to CA. IF you are using a wildcard, generate CSR on one node and send it to CA. "
I don't have the import or export option in secondary node for exporting or importing certificates . And No option for CSR in the secondary .
Second thing , the above step is same If I am changing from self signed certificate to internal CA
Thanks
02-02-2017 04:46 AM
Sorry, I should have been more clear. The export and import functionality for all nodes is available only on the the primary node. Check the new primary admin wildcard cert and click Export. Click on import and select the secondary node to import to that node.
Same goes with CSR, you have to generate CSR for all nodes using the GUI of the primary node.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide