Generate Secure Communication Items on an Appliance
To ensure communication between Secure Web Gateway appliances that run as nodes in a cluster is secure, certificates are used, which are signed by a Certificate Authority (CA). This Certificate Authority is shortly referred to as cluster CA.
There is also a certificate for this cluster CA, which is referred to as CA certificate. Private Keys are required to enable the signing of certificates and their use in secure communication between cluster nodes.
When configuring a cluster, you generate these items on the appliance where you begin your configuration. When you include other appliances as nodes in the cluster later on, you import them on these appliances.
-
On the user interface of the appliance you begin with when configuring a cluster, select Configuration > Appliances.
-
At the top of the configuration area, click Cluster CA.
-
In the Cluster CA window that opens, click Generate CA.
- Use the options in the Generate Cluster CA Certificate window that opens to generate the items that are needed for secure communication in a cluster.
-
Under Common Name, enter a common name for the cluster CA.
The remaining fields in the window are grayed out, as filling them out is not required -
Click Apply and Export.
The Generate Cluster CA Certificate window closes and the Save CA Certificate and Private Key window opens.
A certificate has been generated for this appliance and signed by the cluster CA, which has also been generated, together with the CA certificate. The validity period of this cluster CA is 15 years.
A Private Key has been generated, which was required to enable the signing of the certificate by the cluster CA. Another Private Key has been generated for use in secure communication between the appliances that run as nodes in this cluster.
The certificate for the appliance and the Private Key for use in secure communication with other appliances that run as cluster nodes are stored on the appliance.
-
- Use the options in the Save CA Certificate and Private Key window to store other items that have been generated in locations where you can import them from later on.
-
Next to Exported CA certificate, click Browse, then browse to the location where you want to store the CA certificate.
-
Next to Exported private key, click Browse, then browse to the location where you want to store the Private Key that is required to enable the signing of a certificate by the cluster CA.
-
Under Encryption password, type a password for the Private Key.
-
Press the Enter key on your keyboard.
The window closes and the CA certificate is stored with the Private Key in the locations where you have browsed to. -
When a message informs you that both have been stored, click OK to close the message window.
-
You can now include other appliances as nodes in the cluster and import the CA certificate and the Private Key from the locations where you have stored them.
For more information, see Import Secure Communication Items on an Appliance.
If you have already configured a cluster and want to replace the items for secure communication that are in use within this cluster, you can generate them on any of the appliances that run as nodes in this cluster.
Importing these items anywhere is not required then, as they are generated on all other appliances whenever they are generated on an appliance that is a node in this cluster.
If a cluster CA already exists on an appliance, its name appears in the Common Name field of the Generate Cluster CA Certificate window, together with the hash value of the name.