Focus

Panorama Interconnect Administrator’s Guide

Generate the Panorama Node Certificate

Table of Contents

Generate the Panorama Node Certificate

Generate and import a certificate for the Panorama™ Node as part of a certificate to secure communication between the Panorama Controller and Panorama Node.

For the Panorama™ Controller to authenticate each Panorama Node, create a unique certificate for each Panorama Node. The Panorama Controller and Node use certificate-based authentication to securely communicate with each other. Before you generate the unique Panorama Node certificates, Obtain the CA Certificate for the Panorama Controller.

If your Panorama Node is in a high availability (HA) configuration, you must create and import the Panorama Node certificates of both Panorama Nodes to each peer in the HA configuration.

Log in to the Panorama web interface of the Panorama Controller.
Select PanoramaCertificate ManagementCertificates and Generate a new certificate.
Repeat this step for all Panorama Nodes.
1. For the Certificate Type, select Local.
  
  SCEP is not supported.
2. Enter a Certificate Name. The name is case-sensitive and can have up to 31 characters. It must be unique and use only letters, numbers, hyphens, and underscores.
3. In the Common Name field, enter the serial number of the Panorama Node.
  
  The serial number must be entered in the Common Name field in order to authenticate the connection between the Panorama Controller and Panorama Node. The Panorama Node cannot connect to the Panorama Controller if the serial number is not entered in this field.
4. In the Signed By field, select the CA certificate.
5. Generate the certificate.
6. Click Commit and Commit to Panorama.
Export the for the Panorama Node certificate.
Repeat this step for all Panorama Nodes.
1. Select PanoramaCertificate ManagementCertificates, select the certificate, and Export Certificate.
2. Select the File Format:
  - Base64 Encoded Certificate (PEM)—Allows you to export the certificate and private key separately. If you want the exported file to include the private key, select the Export Private Key check box.
  - Encrypted Private Key and Certificate (PKCS12)— Export the certificate and private in a single file.
3. Check (enable) Export Private Key.
4. Enter a Passphrase and Confirm Passphrase to encrypt the CA certificate. This passphrase is required when importing the CA certificate to the Panorama Node.
5. Click OK and save the encrypted certificate in .pem to your local device.
6. Enter a descriptive file name for the certificate so that you can easily identify the Panorama Node it needs to be imported to, and Save the certificate.
Import the certificate in to each Panorama Node.

(HA Configuration only) If the Panorama Node is in a high availability (HA) configuration, you must import the peer Panorama Node certificate into each Panorama Node in the HA configuration.
1. Log in to the Panorama web interface of the Panorama Node.
2. Select PanoramaCertificate ManagementCertificates, and Import a certificate.
  1. For the Certificate Type, select Local.
    
    SCEP is not supported.
  2. Enter the same Certificate Name.The name is case-sensitive and can have up to 31 characters. It must be unique and use only letters, numbers, hyphens, and underscores.
  3. Browse for the certificate you exported in the previous step.
  4. Check (enable) Import Private key.
  5. Enter the Passphrase and Confirm Passphrase used to encrypt the certificate.
  6. Click OK to import the certificate.
3. Click Commit and Commit to Panorama.

Obtain the CA Certificate for the Panorama Controller

Create a Certificate Profile for Authenticating Panorama Nodes