Replicate SSL Certificate Configuration on the Backup B Series Appliance

Security > Certificates
Security :: Other Certificates

The primary and backup B Series Appliances must have identically matching SSL certificates for failover to be successful. Otherwise, in the event of failover, the backup B Series Appliance will be unable to connect with any BeyondTrust clients, such as representative consoles, customer clients, and so forth.



Because DNS can apply only to one B Series Appliance at a time, and because a B Series Appliance must be assigned the DNS hostname for which it makes a certificate request or renewal request, we recommend that you avoid use of Let's Encrypt certificates for failover B Series Appliance pairs.

To replicate the SSL certificate configuration that is on your primary B Series Appliance, log in to the /appliance web interface of the primary B Series Appliance. Navigate to Security > Certificates and check the box beside the desired certificate. Then, from the dropdown menu, select Export.


Security :: Certificates :: Export

Export this certificate, along with its private key and certificate chain. The Passphrase field allows you to protect the certificate export with a passphrase. This is strongly recommended when exporting a private key.


Security > Certificates
Security :: Other Certificates

Log in to the /appliance web interface of the backup B Series Appliance. Navigate to Security > Certificates and click the Import button.


Security :: Import Certificates

Browse to the certificate you just exported from the primary B Series Appliance. If a passphrase was assigned to the file, enter it in the Password field. Then click Upload.


Security :: Other Certificates

The imported certificate chain will now appear in the table of certificates. Click the name of the newly imported server certificate. The Friendly Name and/or an Alternative Name should match the URL of the B Series Appliance.


Security :: Certificates :: Edit Certificate Configuration


Security :: Other Certificates default certificate

For connections that do not supply a Server Name Indication (SNI) or supply an incorrect SNI, select a default SSL certificate from the list to provide for these connections by clicking the button under the Default column. The default SSL certificate cannot be a self-signed certificate nor the default B Series Appliance certificate provided for initial installation.


For more information about SNI, please see Server Name Indication.