KB Article | Forcepoint Support

Problem Description

Environment

Firewall Enterprise 8.3.x, 7.0.1.03

Summary

The Default_Enterprise_Certificate is generated when you create a cluster, and has a lifetime of five years. This article provides two methods for replacing the certificate when it expires.

Resolution

Solution

Create a new certificate:

If you do not want to disturb the cluster, you can create a new certificate to replace the Default_Enterprise_Certificate. You do this using the command-line interface. The instructions differ slightly depending on whether the old certificate has already expired, if the cluster is not communicating, and what packages are installed.
 
At version 8.3.2P10 or newer:

On the cluster primary:
  1. Renew the certificate:
cf cluster_renew_enterprise_cert
  1. Skip to the "Synchronize certificates between Firewalls" section of this document.

At versions 7.0.1.03 and versions 8.3.2 prior to 8.3.2P10 installation:

On the cluster primary:
  1. Create a certificate request:
     
    NOTE: At version 7.0.1.03, the DN must be unique. It must be different from the current certificate. For example, add a country code: dn=cn=<FQDN of primary>,c=us
​or remove it if it already exists. (Use cf cert query fw to see the current DN. Use cf ssl query proxy=entrelayd if you are unsure which cert is being used.)

cf cert add fw name=New_Enterprise_Certificate dn=cn=<FQDN of primary> pkcs10=cert.req   
      
  1. Optional: Increase the certificate expiration to ten years:

    cf lca modify name=enterprise_ca user_days=3650
     
  2. Generate the new certificate:

    cf lca gencert name=enterprise_ca req=cert.req output=cert.pem 
     
  3.  Import the certificate into cf_cert:

    cf cert getcert fw name=New_Enterprise_Certificate file=cert.pem
     
  4. Optional: View the certificate:

    cf cert view fw name=New_Enterprise_Certificate
     
  5. Configure entrelayd to use the new certificate:
    • For version 7.0.1.03:
      cf ssl set proxy=entrelayd cert_name=New_Enterprise_Certificate
    • For version 8.3.1:
      cf ssl set proxy=entrelayd firewall_certs=New_Enterprise_Certificate
 


Synchronize Certificates between Firewalls

If the cluster can communicate, on the cluster secondary ensure the new certificate has arrived. New_Enterprise_Certificate should show up in both of the following queries:
 
cf cert query fw
cf ssl query proxy=entrelayd
 
 
If the cluster cannot communicate, you must import the certificate and private key to the secondary explicitly:

On the primary:
  1. Export the new enterprise certificate and key:

    cf cert view fw name=New_Enterprise_Certificate file=cert.p12 cert_format=PKCS12_DER password=<password>
     
  2. Copy cert.p12 to the secondary.
    • The easiest way to do this is to SCP the file to the standby firewall, substituting the correct username and IP address on the standby for your environment:
      • scp cert.p12 swadmin@10.1.1.2:/home/swadmin
 
On the secondary: 
  1. Import the new enterprise certificate and key:

    cf cert add fw name=New_Enterprise_Certificate file=cert.p12 password=<password>
     
  2. Configure entrelayd to use the new certificate:
    • For version 7.0.1.03:
      cf ssl set proxy=entrelayd cert_name=New_Enterprise_Certificate
    • For version 8.3.1:
      cf ssl set proxy=entrelayd firewall_certs=New_Enterprise_Certificate 
On both cluster members, restart entrelayd to begin using the new certificate:
 
cf daemond restart agent=entrelayd
 


Ensure policy is syncing

It will take several minutes, after performing the steps above, to see policy synching between cluster members. To check that the policy is up to date perform the following command on both members of the cluster:
 
cf cluster status
 
The output should indicate a "Policy Version" number for both members. Check the output from both firewalls to ensure that the "Policy Version" is the same in all four places. This will take several minutes after recreating a cluster or changing certificates.
 
*NOTE*  If your Sidewinder cluster is Control Center managed, for most consistent results across all versions, it is recommended to remove the cluster from CC first.  Then, follow the procedure detailed above and confirm the policy is again syncing between cluster members.   Finally, re-add the cluster back into CC and retrieve the policy.   

Article Feedback



Thank you for the feedback and comments.

Want 24/7 Tech Support?

Learn more