ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

SSG Cluster, VPN-tunnels with certificates

‎04-07-2011 08:51 AM
Hi, I didnt find 100% answer for my question so I am asking here if someone has done this and can confirm how it really works. I have situation where I have one SSG with multiple vpn-tunnels terminated to it using certificates. Now I am going to buy another one and make it a cluster. I will be using old address as VIP for cluster. Do I have to generate new certs for both firewalls or does it get shared with NSRP? If I have to generate them, should I use manage-ip or VIP as IP address in both certs?
Tero S
ScreenOS Firewalls (NOT SRX)

Re: SSG Cluster, VPN-tunnels with certificates

‎04-07-2011 04:22 PM

The certificate store does synchronize between the two members of an NSRP cluster and can be used by either.  there are some careful steps you need to take.  The certificate name and ip address will be the name for the cluster and not the individual nodes.  And the certificate must NOT be the automatically generated self-signed one.


You'll want to review:


Concepts and Examples Guide

Volume 5 Virtual Private Networks

Chapter 2 - Public Key Cryptography




Before generating a certificate request, make sure that you have set the system
clock and assigned a hostname and domain name to the security device. (If the
security device is in an NSRP cluster, replace the hostname with a cluster name.
For more information,




A security device automatically generates a self-signed certificate when powering
up—if there is no certificate already configured for Secure Sockets Layer (SSL),
which is the case when you first power it up. The security device that creates an
auto-generated self-signed certificate is the only device that uses it. The device
never exports this certificate outside itself. Even if the security device is in a
NetScreen Redundancy Protocol (NSRP) cluster, it does not include the
auto-generated self-signed certificate with other types of certificates when
synchronizing PKI objects among other members in the cluster. (NSRP members do
exchange manually generated self-signed certificates. For information about
manually generating self-signed certificates, see “Manually Creating Self-Signed
Certificates” on page 50.)

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
ScreenOS Firewalls (NOT SRX)

Re: SSG Cluster, VPN-tunnels with certificates

‎04-09-2011 12:07 AM

Thanks for the answer. I do have signed cert on this firewall and now after your answer I plan to step ahead by using the current cert and changing the clusters name to same which this one firewall has now. Since the certs are made by 3rd party it's a lot easier if I can use the existing one. Let's see how it goes..

Tero S
ScreenOS Firewalls (NOT SRX)

Re: SSG Cluster, VPN-tunnels with certificates

‎04-11-2011 07:17 AM

He's right.

I don't know if helps, but I have an NS-50 cluster and my cert has three CN's in the subjectAltName section.


This allows me to connect to the active device using name, and to a specific physical device using or having to click-through certificate mismatch errors.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)