Enterprise Certification Authority - Certificate for Firewalls web-gui
Good afternoon, as always, thank you in advance for your constant support. Please help me with the following case:
Environment:
1.- Firewalls - HA
2.- Local Certification Authority
3.- Firewalls managed by PANORAMA
4.- One template/one template stack with this template
-It is intended to use a certificate for the GUI, for the access to the web-gui administration of the firewalls, using a certificate generated by an Enterprise certificate authority.
It will be done without csr, I reiterate without using CSR, but it will be uploaded both the certificate and the private key, generated by the local certifier.
The certification chain is small, and quite simple, without intermediaries, that is to say:
CA-ENTERPRISE-LOCAL --------------> Certificate for the Firewall-Web-GUI-ADMIN.
1.- Please make observations, the issues to be considered on the basis of the proposed environment. Each firewall, in HA, will have its own certificate, therefore it is not recommended to do it via template from Panorama (there is only one template for all the HA), please confirm this point and indicate, based on the environment indicated, that it should or should not be done locally, I would understand that it should be done locally.
2.- Please indicate whether or not the CA certificate should be uploaded to the firewalls (I would understand no, but please confirm it, based on best practices). The client computers and/or workstations, that will visit and access via WEB, the WEB-GUI of the firewalls, already trust the Enterprise CA as a trusted entity.
3 .- Please indicate what considerations should be taken based on Panorama, when changing context to firewalls, configuration push, after the firewalls have their new ssl web-gui certificate, installed, if they have the new certificate, generate any problems, setbacks and / or if any prior adjustment is required necessary, please your support.
Thank you very much for your collaboration and constant support, I remain attentive, best regards
1. If each firewall has its own stack, you could add the certificate tot he stack template instead of the shared template. If the stack is also shared, you're best off deploying the certificate locally (or need to create a template per firewall to contain the cert) 2. For this purpose you don't need the CA on the firewall 3.none, the context switch uses a different certificate (secure communications)
@Reaper Please Reaper, your help and support as always, thanks for the patience. All questions are related to the same topic, they are not from different topics.
Thank you very much, I remain attentive