Replicate SSL Certificate Configuration on the Backup PRA B Series Appliance

The /appliance header highlighting the Certificates section.

The Default option being highlighted in the Security :: Other Certificates section.

The primary and backup B Series Appliances must have identically matching SSL certificates for failover to be successful. Otherwise, in the event of failover, the backup B Series Appliance will be unable to connect with any BeyondTrust clients, such as access consoles, endpoint clients, and so forth.

 

 

Because DNS can apply only to one B Series Appliance at a time, and because a B Series Appliance must be assigned the DNS hostname for which it makes a certificate request or renewal request, we recommend that you avoid use of Let's Encrypt certificates for failover B Series Appliance pairs.

To replicate the SSL certificate configuration that is on your primary B Series Appliance, log into the /appliance web interface of the primary B Series Appliance. Navigate to Security > Certificates and check the box beside the desired certificate. Then, from the dropdown menu, select Export.

 

Security :: Certificates :: Export

Export this certificate, along with its private key and certificate chain. The Passphrase field allows you to protect the certificate export with a passphrase. This is strongly recommended when exporting a private key.

 

The /appliance header highlighting the Certificates section.
Security :: Other Certificates - Create and Import

Log into the /appliance web interface of the backup B Series Appliance. Navigate to Security > Certificates and click the Import button.

 

Security :: Import Certificates

Browse to the certificate you just exported from the primary B Series Appliance. If a passphrase was assigned to the file, enter it in the Password field. Then click Upload.

 

Security :: Other Certificates

The imported certificate chain will now appear in the table of certificates. Click the name of the newly imported server certificate. The Friendly Name and/or an Alternative Name should match the URL of the B Series Appliance.

 

Security :: Other Certificates

For connections that do not supply a Server Name Indication (SNI) or supply an incorrect SNI, select a default SSL certificate from the list to provide for these connections by clicking the button under the Default column. The default SSL certificate cannot be a self-signed certificate nor the default B Series Appliance certificate provided for initial installation.

 

For more information about SNI, please see Server Name Indication.