Configure Authentication with a Single Custom Certificate for a WildFire Cluster

Assign and push a single, shared certificate to an entire WildFire® cluster.
Instead of assigning unique certificates to each WildFire® appliance in a cluster, you can assign a single, shared client certificate to the entire WildFire cluster, which, in turn, allows you to push a single certificate to all WildFire appliances in the cluster instead of configuring separate certificates for each cluster member. Because the individual WildFire appliances share a client certificate, you must configure a unique hostname (DNS name) for each WildFire appliance. Then you can add all the hostnames as certificate attributes to the shared certificate or use a one-wildcard string that matches all the custom hostnames on all the WildFire appliances in the cluster.
To configure a single custom certificate for your WildFire cluster to use when communicating with the Panorama™, complete the following procedure.
  1. Configure a certificate profile that includes the root certificate authority (CA) and the intermediate CA. This certificate profile defines the authentication between the WildFire cluster (client) and the Panorama appliance (server).
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      .
    2. If you configure an intermediate CA as part of the certificate profile, you must also include the root CA.
  2. Configure an SSL/TLS service profile.
    1. Select
      Panorama
      Certificate Management
      SSL/TLS Service Profile
      .
    2. Configure an SSL/TLS service profile to define the certificate and protocol that the WildFire cluster and Panorama appliance use for SSL/TLS services.
  3. Configure a unique hostname (DNS name) on each node in the cluster or use a string with a single wildcard that matches all custom DNS names set on the WildFire appliances in the cluster.
    If using a single-wildcard string, see RFC-6125,Section 6.4.3 for requirements and limitations of wildcard string values. Make sure you understand these requirements and limitations when configuring your custom DNS names.
    1. Log in to the WildFire CLI on a node.
    2. Use the following command to assign a unique custom DNS name to the node.
      admin@WF-500>
      configure
      admin@WF-500#
      set deviceconfig setting wildfire custom-dns-name
      <dns-name>
    3. Commit
      your change.
    4. Repeat this process for each node in the cluster.
  4. On Panorama, generate a client certificate for all nodes in the cluster. Under Certificate Attributes, add a hostname entry for each custom DNS name you assigned to the cluster nodes or add one hostname entry with a one-wildcard string that matches all of the node hostnames, such as *.example.com; you can do this only if each custom DNS name shares a common string.
  5. On Panorama, configure the certificate profile for the cluster client certificate.
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      for Panorama.
  6. Deploy custom certificates on each node. This certificate profile must contain the CA certificate that signed the Panorama server certificate.
    1. Select
      Panorama
      Managed WildFire Clusters
      and click on the cluster name.
    2. Select
      Communications
      .
    3. Under Secure Client Communications, select the
      Certificate Type
      ,
      Certificate
      , and
      Certificate Profile
      .
    4. Click
      OK
      .
    5. Commit
      your changes.
  7. Configure secure server communication on Panorama.
    1. Select
      Panorama
      Setup
      Management
      and
      Edit
      to select
      Customize Secure Server Communication
      .
    2. Enable
      Customize Secure Server Communication
      .
    3. Select the
      SSL/TLS Service Profile
      . This SSL/TLS service profile applies to all SSL connection between WildFire and Panorama.
    4. Select the
      Certificate Profile
      for Panorama.
    5. Enable
      Custom Certificates Only
      .
    6. Click
      OK
      .
    7. Commit
      your changes.

Recommended For You