Replicate SSL Certificate Configuration on the Backup PRA B Series Appliance
The primary and backup B Series Appliances must have identically matching SSL certificates for failover to be successful. Otherwise, in the event of failover, the backup B Series Appliance will be unable to connect with any BeyondTrust clients, such as access consoles, endpoint clients, and so forth.
Because DNS can apply only to one B Series Appliance at a time, and because a B Series Appliance must be assigned the DNS hostname for which it makes a certificate request or renewal request, we recommend that you avoid use of Let's Encrypt certificates for failover B Series Appliance pairs.
To replicate the SSL certificate configuration that is on your primary B Series Appliance, log into the /appliance web interface of the primary B Series Appliance. Navigate to Security > Certificates and check the box beside the desired certificate. Then, from the dropdown menu, select Export.
Export this certificate, along with its private key and certificate chain. The Passphrase field allows you to protect the certificate export with a passphrase. This is strongly recommended when exporting a private key.
Log into the /appliance web interface of the backup B Series Appliance. Navigate to Security > Certificates and click the Import button.
Browse to the certificate you just exported from the primary B Series Appliance. If a passphrase was assigned to the file, enter it in the Password field. Then click Upload.
The imported certificate chain will now appear in the table of certificates. Click the name of the newly imported server certificate. The Friendly Name and/or an Alternative Name should match the URL of the B Series Appliance.
For connections that do not supply a Server Name Indication (SNI) or supply an incorrect SNI, select a default SSL certificate from the list to provide for these connections by clicking the button under the Default column. The default SSL certificate cannot be a self-signed certificate nor the default B Series Appliance certificate provided for initial installation.
For more information about SNI, please see Server Name Indication.