Configure Authentication with a Single Custom Certificate for a WildFire Cluster
Table of Contents
Configure Authentication with a Single Custom Certificate for a WildFire Cluster
Assign and push a single, shared certificate to an entire
WildFire® cluster.
Instead of assigning unique certificates to
each WildFire® appliance in a cluster, you can assign a single,
shared client certificate to the entire WildFire cluster, which,
in turn, allows you to push a single certificate to all WildFire
appliances in the cluster instead of configuring separate certificates
for each cluster member. Because the individual WildFire appliances
share a client certificate, you must configure a unique hostname
(DNS name) for each WildFire appliance. Then you can add all the
hostnames as certificate attributes to the shared certificate or
use a one-wildcard string that matches all the custom hostnames
on all the WildFire appliances in the cluster.
To configure
a single custom certificate for your WildFire cluster to use when
communicating with the Panorama™, complete the following procedure.
- Obtain a server key pair and CA certificate for Panorama.Configure a certificate profile that includes the root certificate authority (CA) and the intermediate CA. This certificate profile defines the authentication between the WildFire cluster (client) and the Panorama appliance (server).
- Select .Configure a certificate profile.If you configure an intermediate CA as part of the certificate profile, you must also include the root CA.Configure an SSL/TLS service profile.
- Select .Configure an SSL/TLS service profile to define the certificate and protocol that the WildFire cluster and Panorama appliance use for SSL/TLS services.Connect each node in the cluster to Panorama.Configure a unique hostname (DNS name) on each node in the cluster or use a string with a single wildcard that matches all custom DNS names set on the WildFire appliances in the cluster.If using a single-wildcard string, see RFC-6125,Section 6.4.3 for requirements and limitations of wildcard string values. Make sure you understand these requirements and limitations when configuring your custom DNS names.
- Log in to the WildFire CLI on a node.Use the following command to assign a unique custom DNS name to the node.
admin@WF-500> configureadmin@WF-500# set deviceconfig setting wildfire custom-dns-name <dns-name>Commit your change.Repeat this process for each node in the cluster.On Panorama, generate a client certificate for all nodes in the cluster. Under Certificate Attributes, add a hostname entry for each custom DNS name you assigned to the cluster nodes or add one hostname entry with a one-wildcard string that matches all of the node hostnames, such as *.example.com; you can do this only if each custom DNS name shares a common string.On Panorama, configure the certificate profile for the cluster client certificate.- Select for Panorama.Configure a Certificate Profile.Deploy custom certificates on each node. This certificate profile must contain the CA certificate that signed the Panorama server certificate.
- Select and click on the cluster name.Select Communications.Under Secure Client Communications, select the Certificate Type, Certificate, and Certificate Profile.Click OK.Commit your changes.Configure secure server communication on Panorama.
- Select and Edit to select Customize Secure Server Communication.Enable Customize Secure Server Communication.Select the SSL/TLS Service Profile. This SSL/TLS service profile applies to all SSL connection between WildFire and Panorama.Select the Certificate Profile for Panorama.Enable Custom Certificates Only.Click OK.Commit your changes.
