KB Article | Forcepoint Support

Problem Description


Firewall Enterprise
For version 8.3.x, please see KB 14661


The Default_Enterprise_Certificate is generated when you create a cluster, and has a lifetime of five years. This article provides two methods for replacing the certificate when it expires.



Create a new certificate:

If you do not want to disturb the cluster, you can create a new certificate to replace the Default_Enterprise_Certificate. You do this using the command-line interface. The instructions differ slightly depending on whether the cluster is not communicating or not.

On the cluster primary:
  1. Create a certificate request:
    NOTE: The DN must be unique. It must be different from the current certificate. For example, add a country code: dn=cn=<FQDN of primary>,c=us
​or remove it if it already exists. (Use cf cert query fw to see the current DN. Use cf ssl query proxy=entrelayd if you are unsure which cert is being used.)

cf cert add fw name=New_Enterprise_Certificate pkcs10=cert.req dn=cn=<FQDN of primary> 
  1. Generate the new certificate:

    cf lca gencert name=enterprise_ca req=cert.req output=cert.pem 
  2.  Import the certificate into cf_cert:

    cf cert getcert fw name=New_Enterprise_Certificate file=cert.pem
  3. Optional: View the certificate:

    cf cert view fw name=New_Enterprise_Certificate
  4. Configure entrelayd to use the new certificate:
cf ssl set proxy=entrelayd cert_name=New_Enterprise_Certificate

Synchronize Certificates between Firewalls

If the cluster can communicate, on the cluster secondary ensure the new certificate has arrived. New_Enterprise_Certificate should show up in both of the following queries:
cf cert query fw
cf ssl query proxy=entrelayd
If the cluster cannot communicate, you must import the certificate and private key to the secondary explicitly:

On the primary:
  1. Export the new enterprise certificate and key:

    cf cert view fw name=New_Enterprise_Certificate file=cert.p12 cert_format=PKCS12_DER password=<password>
  2. Copy cert.p12 to the secondary.
    • The easiest way to do this is to SCP the file to the standby firewall, substituting the correct username and IP address on the standby for your environment:
      • scp cert.p12 swadmin@
On the secondary: 
  1. Import the new enterprise certificate and key:

    cf cert add fw name=New_Enterprise_Certificate file=cert.p12 password=<password>
  2. Configure entrelayd to use the new certificate:
cf ssl set proxy=entrelayd cert_name=New_Enterprise_Certificate
On both cluster members, restart entrelayd to begin using the new certificate:
cf daemond restart agent=entrelayd

Ensure policy is syncing

It will take several minutes, after performing the steps above, to see policy synching between cluster members. To check that the policy is up to date, perform the following command on both members of the cluster:
cf cluster status
The output should indicate a "Policy Version" number for both members. Check the output from both firewalls to ensure that the "Policy Version" is the same in all four places. This will take several minutes after recreating a cluster or changing certificates.
*NOTE*  If your Sidewinder cluster is Control Center managed, for most consistent results across all versions, it is recommended to remove the cluster from CC first.  Then, follow the procedure detailed above and confirm the policy is again syncing between cluster members.   Finally, re-add the cluster back into CC and retrieve the policy.   

Article Feedback

Thank you for the feedback and comments.