Generate a cluster CA and its private key for use in generating certificates and private keys to ensure secure communication between Secure Web Gateway appliances that are nodes in a Central Management cluster.
A cluster CA and its private key are first generated on a single appliance when you begin to create a cluster. More appliances can then be added to the cluster, after importing this cluster CA and its private key to each of them.
If you have already created a cluster and want to replace the cluster CA and the private key that are in use within this cluster, you can generate these items on any of the appliances that are its nodes.
Importing the cluster CA and its private key to other appliances is not required in this case, as certificates and private keys for all appliances in the cluster are generated when a cluster CA and its private key are generated on any of them.
- On the user interface of an appliance, select Configuration | Appliances.
- At the top of the configuration pane, click Cluster CA.
- In the Cluster CA window that opens, click Generate CA.
- Use the Generate Cluster CA Certificate window that opens to generate a cluster CA and its private key.
- Under Common Name, type a common name for the cluster CA.
If a cluster CA already exists on the appliance, its name is displayed here, together with the hash value of the name.
NOTE: The remaining fields in the window are grayed out, as filling them out is not required. The validity period for the cluster CA is set to 15 years. The RSA key size is set to 3072.
- Click Apply and Export.
A cluster CA and its private key are generated. The private key enables use of the cluster CA, which then signs the certificate that is generated on the appliance that you are currently working on.
Together with this certificate, another private key is generated for enabling its use in cluster communication, and both items are stored on the appliance.
If you are generating the cluster CA and its private key on an appliance that is a node in an already existing cluster, certificates and private keys for all nodes in this cluster are also generated and stored.
The Generate Cluster CA Certificate window closes and the Save CA Certificate and Private Key window opens.
- Use the Save CA Certificate and Private Key window to store the cluster CA and its private key.
NOTE: It is mandatory that you complete this step here, as no opportunity will be provided to store these items later on.
- Next to Exported CA certificate location, click Browse and browse a location to store the cluster CA there.
- Next to Exported private key location, click Browse and browse to a location to store the private key there.
- Under Encryption password, type a password for the private key and hit the Enter key on your keyboard.
The window closes and the cluster CA is stored with its private key.
- When a message informs you that both have been stored, click OK to close the message window.
A cluster CA and its private key have been generated and are stored in the places that you selected. The cluster CA is also stored on the appliance, but not its private key.
This private key was required, however, to enable use of the cluster CA when it signed the certificate that was generated on the appliance.
NOTE: Be aware that this private key will again be required to enable use of the cluster CA when it is imported with the
private key to sign a certificate for another appliance that is added as a node to the cluster.