Replicate SSL Certificate Configuration on the Backup PRA Appliance

The /appliance header highlighting the Certificates section.

The Default option being highlighted in the Security :: Other Certificates section.

The primary and backup appliances must have identically matching SSL certificates for failover to be successful. Otherwise, in the event of failover, the backup appliance will be unable to connect with any BeyondTrust clients, such as access consoles, endpoint clients, and so forth.

 

 

Because DNS can apply only to one appliance at a time, and because an appliance must be assigned the DNS hostname for which it makes a certificate request or renewal request, we recommend that you avoid use of Let's Encrypt certificates for failover appliance pairs.

To replicate the SSL certificate configuration that is on your primary appliance, log into the /appliance web interface of the primary appliance. Navigate to Security > Certificates and check the box beside the desired certificate. Then, from the dropdown menu, select Export.

 

Security :: Certificates :: Export

Export this certificate, along with its private key and certificate chain. The Passphrase field allows you to protect the certificate export with a passphrase. This is strongly recommended when exporting a private key.

 

The /appliance header highlighting the Certificates section.
Security :: Other Certificates

Log into the /appliance web interface of the backup appliance. Navigate to Security > Certificates and click the Import button.

 

Security :: Import Certificates

Browse to the certificate you just exported from the primary appliance. If a passphrase was assigned to the file, enter it in the Password field. Then click Upload.

 

Security :: Other Certificates

The imported certificate chain will now appear in the table of certificates. Click the name of the newly imported server certificate. The Friendly Name and/or an Alternative Name should match the URL of the appliance.

 

Security :: Other Certificates

For connections that do not supply a Server Name Indication (SNI) or supply an incorrect SNI, select a default SSL certificate from the list to provide for these connections by clicking the button under the Default column. The default SSL certificate cannot be a self-signed certificate nor the default BeyondTrust Appliance certificate provided for initial installation.

For more information about SNI, please see Server Name Indication.