01-15-2018 10:19 AM - edited 02-21-2020 10:43 AM
Hello,
I have a customer who is planning to upload a new certificate (the current one is about expiring). I was able to import it successfully on the PAN without get the services restarted. I've seen if we enable the services the cert is used by (EAP, Admin, Portal) on the primary PAN, this will get restarted and the subsecuences nodes will be restarting too, my question is: ¿If I enable the services on one PSN at time instead of PAN, will the subsequences PSNs will be restarted too?
Thank you very much.
01-15-2018 10:46 AM
Hi,
Only replacing the Admin certificate would result in the services being restarted on the node the certificate is being replaced on. Any other cert (EAP, Portal, pxgrid) would not result in the services being restarted.
HTH
01-15-2018 10:58 AM
@Rob Ingram Thank you for the quick response,
I have a lab deployment (1 PAN and 2 PSN) where I replaced the certificate on PAN and enabled the services (EAP,Admin, Portal). I see the PAN get restarted and after some minutes both PSN too. Customer has about 10 Nodes and they don't want to get all the nodes restarted, that's why im wondering if I only upload the new cert on PAN, it won't activate a service restart of the nodes.
01-15-2018 11:04 AM
Hi, If you've replaced the PAN's admin certificate it should not reboot again. In a distributed cluster you have to upload the certificate for all other nodes from the webgui of the PAN anyway, you just need to ensure you only select the correct PSN to replace the admin certificate, then only that PSN's services will restart not any other PSN.
Make sense?
HTH
01-15-2018 11:15 AM
@Rob Ingram that makes sense 100%, how can I select the correct PSN to replace the admin certificate? Is it under Administration->Deployment Tab?
01-15-2018 11:22 AM
Assuming the PSN nodes are registered to the cluster, to import any certificate for a node in a cluster you'd go to:-
Administration > System > Certificates
From there you can generate CSR's, select which type of certificate and which node the CSR is being generated for and then once the certificate is signed you can bind the signed certificates.
01-15-2018 12:09 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide