The primary and backup appliances must have identically matching SSL certificates for failover to be successful. Otherwise, in the event of failover, the backup appliance will be unable to connect with any BeyondTrust clients, such as representative consoles, customer clients, and so forth.
Because DNS can apply only to one appliance at a time, and because an appliance must be assigned the DNS hostname for which it makes a certificate request or renewal request, we recommend that you avoid use of Let's Encrypt certificates for failover appliance pairs.
To replicate the SSL certificate configuration that is on your primary appliance, log into the /appliance web interface of the primary appliance. Navigate to Security > Certificates and check the box beside the desired certificate. Then, from the dropdown menu, select Export.
Export this certificate, along with its private key and certificate chain. The Passphrase field allows you to protect the certificate export with a passphrase. This is strongly recommended when exporting a private key.
Log into the /appliance web interface of the backup appliance. Navigate to Security > Certificates and click the Import button.
Browse to the certificate you just exported from the primary appliance. If a passphrase was assigned to the file, enter it in the Password field. Then click Upload.
The imported certificate chain will now appear in the table of certificates. Click the name of the newly imported server certificate. The Friendly Name and/or an Alternative Name should match the URL of the appliance.
For connections that do not supply a Server Name Indication (SNI) or supply an incorrect SNI, select a default SSL certificate from the list to provide for these connections by clicking the button under the Default column. The default SSL certificate cannot be a self-signed certificate nor the default Secure Remote Access Appliance certificate provided for initial installation.
For more information about SNI, please see Server Name Indication.