Configure Authentication with a Single
Custom Certificate for a WildFire Cluster
Assign and push a single, shared certificate to an entire WildFire® cluster.
Instead of assigning unique certificates to each WildFire® appliance in a cluster, you can assign a single, shared client certificate to the entire WildFire cluster, which, in turn, allows you to push a single certificate to all WildFire appliances in the cluster instead of configuring separate certificates for each cluster member. Because the individual WildFire appliances share a client certificate, you must configure a unique hostname (DNS name) for each WildFire appliance. Then you can add all the hostnames as certificate attributes to the shared certificate or use a one-wildcard string that matches all the custom hostnames on all the WildFire appliances in the cluster.
To configure a single custom certificate for your WildFire cluster to use when communicating with the Panorama™, complete the following procedure.
- Obtain a server key pair and CA certificate for Panorama.
- Configure a certificate profile that includes the root certificate authority (CA) and the intermediate CA. This certificate profile defines the authentication between the WildFire cluster (client) and the Panorama appliance (server).
- Select.PanoramaCertificate ManagementCertificate Profile
- If you configure an intermediate CA as part of the certificate profile, you must also include the root CA.
- Configure an SSL/TLS service profile.
- Select.PanoramaCertificate ManagementSSL/TLS Service Profile
- Configure an SSL/TLS service profile to define the certificate and protocol that the WildFire cluster and Panorama appliance use for SSL/TLS services.
- Configure a unique hostname (DNS name) on each node in the cluster or use a string with a single wildcard that matches all custom DNS names set on the WildFire appliances in the cluster.If using a single-wildcard string, see RFC-6125,Section 6.4.3 for requirements and limitations of wildcard string values. Make sure you understand these requirements and limitations when configuring your custom DNS names.
- Log in to the WildFire CLI on a node.
- Use the following command to assign a unique custom DNS name to the node.admin@WF-500>configureadmin@WF-500#set deviceconfig setting wildfire custom-dns-name<dns-name>
- Commityour change.
- Repeat this process for each node in the cluster.
- On Panorama, generate a client certificate for all nodes in the cluster. Under Certificate Attributes, add a hostname entry for each custom DNS name you assigned to the cluster nodes or add one hostname entry with a one-wildcard string that matches all of the node hostnames, such as *.example.com; you can do this only if each custom DNS name shares a common string.
- On Panorama, configure the certificate profile for the cluster client certificate.
- Selectfor Panorama.PanoramaCertificate ManagementCertificate Profile
- Deploy custom certificates on each node. This certificate profile must contain the CA certificate that signed the Panorama server certificate.
- Selectand click on the cluster name.PanoramaManaged WildFire Clusters
- Under Secure Client Communications, select theCertificate Type,Certificate, andCertificate Profile.
- Commityour changes.
- Configure secure server communication on Panorama.
- SelectandPanoramaSetupManagementEditto selectCustomize Secure Server Communication.
- EnableCustomize Secure Server Communication.
- Select theSSL/TLS Service Profile. This SSL/TLS service profile applies to all SSL connection between WildFire and Panorama.
- Select theCertificate Profilefor Panorama.
- EnableCustom Certificates Only.
- Commityour changes.
Recommended For You
Recommended videos not found.