Configuring Certificates for Cluster Ports

This article provides an overview on how to configure and apply certificates to both Active/Passive cluster ports and Active/Active cluster ports.

On accessing the sign-in URL configured for a Virtual IP (VIP) in a cluster, a certificate warning is issued.

The certificate warning occurs even though device certificates have been applied to the internal and external ports.

The configuration of the cluster determines how the certificates will be applied to the Active/Active and Active/Passive cluster nodes:

Configuring Certificates for Active/Passive Cluster Ports

An Active/Passive (A/P) cluster is accessed via a Virtual IP (VIP) address that the active node owns.

Important: Ensure the following:

•The common name in the certificate must match the DNS hostname of the cluster VIP (Example: tpcluster.nouturn.local)

•Certificate must be installed on both nodes and applied to the VIP.

Verifying Certificate Installation on Cluster

To verify that the certificate is applied to the correct port and defined correctly, you need to follow the below steps:

1.Log in to the cluster as an 'Administrator'.

2.Navigate to Configuration > Certificates > Device Certificates.

A list of certificates that are available/installed on the cluster will be listed.

3.Check if the required certificate is listed.

If the required certificate is missing from the list, import the required certificate by clicking the Intermediate CAs link.

4.Assign the certificate to cluster VIP and other interfaces.

Configuring Certificates for Active/Active Cluster Ports

An Active/Active (A/A) cluster can be configured with an external Load Balancer. In this configuration, the VIP that users access the cluster with resides on the Load Balancer. Since the host name is mapped to the IP of the Load Balancers, the certificate must be installed on the Load Balancer.

Verifying Certificate Installation on External Cluster Nodes

To verify that the certificate installed on each external cluster node is valid, you need to perform the following steps:

1.Log in to the cluster as an 'Administrator'.

2.Navigate to Configuration > Certificates > Device Certificates.

3.Check that the Issued By field for the certificate being used is one that is trusted by the browser.

4.Ensure the Valid Dates column contains a date range that is valid.

Configuring Certificates for Active/Active Cluster Ports (Internal Ports of Nodes)

To verify that the certificate is applied to the correct internal port and defined correctly, you need to follow the steps as explained in the topic Configuring and Setting Up Certificates for Active/Passive Cluster Ports.