Hi, I didnt find 100% answer for my question so I am asking here if someone has done this and can confirm how it really works. I have situation where I have one SSG with multiple vpn-tunnels terminated to it using certificates. Now I am going to buy another one and make it a cluster. I will be using old address as VIP for cluster. Do I have to generate new certs for both firewalls or does it get shared with NSRP? If I have to generate them, should I use manage-ip or VIP as IP address in both certs?
The certificate store does synchronize between the two members of an NSRP cluster and can be used by either. there are some careful steps you need to take. The certificate name and ip address will be the name for the cluster and not the individual nodes. And the certificate must NOT be the automatically generated self-signed one.
Before generating a certificate request, make sure that you have set the system clock and assigned a hostname and domain name to the security device. (If the security device is in an NSRP cluster, replace the hostname with a cluster name. For more information,
A security device automatically generates a self-signed certificate when powering up—if there is no certificate already configured for Secure Sockets Layer (SSL), which is the case when you first power it up. The security device that creates an auto-generated self-signed certificate is the only device that uses it. The device never exports this certificate outside itself. Even if the security device is in a NetScreen Redundancy Protocol (NSRP) cluster, it does not include the auto-generated self-signed certificate with other types of certificates when synchronizing PKI objects among other members in the cluster. (NSRP members do exchange manually generated self-signed certificates. For information about manually generating self-signed certificates, see “Manually Creating Self-Signed Certificates” on page 50.)
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home
Thanks for the answer. I do have signed cert on this firewall and now after your answer I plan to step ahead by using the current cert and changing the clusters name to same which this one firewall has now. Since the certs are made by 3rd party it's a lot easier if I can use the existing one. Let's see how it goes..
I don't know if helps, but I have an NS-50 cluster and my cert has three CN's in the subjectAltName section.
This allows me to connect to the active device using name firewall.example.com, and to a specific physical device using firewall-a.example.com or firewall-b.example.com....without having to click-through certificate mismatch errors.
Theodore E Van Iderstine Stream Networks +1 678 373 4200 x125 JNCIA-ER (expired), JNCIA-SSL (ditto)