Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Linking a Subscriber to a Publisher - self-signed HTTPS cert

This thread has been viewed 21 times

  • 1.  Linking a Subscriber to a Publisher - self-signed HTTPS cert

    Posted Aug 01, 2019 06:09 AM

    Hello,

     

    We have been trying to link a Subscriber to a Publisher , but it has been failing. I think this is because there was no HTTPS cert on the Publisher. I have now created a self-signed one (for testing purposes) but how do I now make the Subscriber accept this cert? What do I need to add to the Trust List on the Subscriber to make it accept the self-signed cert? Or is the only way to do this by using a non-self signed cert?

     

    Thanks,

     

     



  • 2.  RE: Linking a Subscriber to a Publisher - self-signed HTTPS cert

    EMPLOYEE
    Posted Aug 01, 2019 06:23 AM

    Are you still getting any error message after installing https self signed certificate while joining subscriber server to the cluster?

     

     

     

     

     

     

     

     



  • 3.  RE: Linking a Subscriber to a Publisher - self-signed HTTPS cert

    Posted Aug 01, 2019 06:26 AM

    Hi,

     

    Yes, so I see this:

     

    "Failed to verify the HTTPS Server Certificate of host 131.111.10.194. The CA certificate chain that signed the server certificate should be in the in the Trust List of this host."

     

    Which makes sense, I just don't know how to add the root CA cert of the Publisher to the Subscriber Trust list



  • 4.  RE: Linking a Subscriber to a Publisher - self-signed HTTPS cert
    Best Answer

    Posted Aug 01, 2019 06:31 AM

    You should have two options here,

    1) install the certificate which "signed" the request to the subscriber

    2) use 

    cluster make-subscriber -b -V -i <ip-addr of publisher>

    -b should backup the running configuration, -V should force it and ignore ther certificate error 

     

    /edit:

    i corrected my code, "-f" is not an option, "-V" is.

     

    hth,



  • 5.  RE: Linking a Subscriber to a Publisher - self-signed HTTPS cert
    Best Answer

    Posted Aug 01, 2019 07:01 AM
    @kainzjoh wrote:

    You should have two options here,

    1) install the certificate which "signed" the request to the subscriber

     

    2) use 

    cluster make-subscriber -b -f -i <ip-addr of publisher>

    -b should backup the running configuration, -f should force it and ignore ther certificate error 

    I don't know how to get the Publisher's cert onto the subscriber.

     

    Option 2 worked with a minor adjustment, replacing -f with -V

     

    Thanks for your help. I'd still like to understand the self-signing process better but this looks like it has worked so that's great.



  • 6.  RE: Linking a Subscriber to a Publisher - self-signed HTTPS cert

    Posted Aug 01, 2019 07:44 AM

    It seems like rather than creating a self-signed cert I actually want to create a cert signed by the Publisher, and have the Publisher's cert on the Trust list on the Subscriber, but I'm not clear on how to do either of those things.



  • 7.  RE: Linking a Subscriber to a Publisher - self-signed HTTPS cert

    Posted Aug 01, 2019 07:53 AM

    - Create the cluster by adding the subscriber node

    - Import the certificate into the trust list

    - Import the certificate into the node on which the CSR was done

    - Export the certificate

    - Import the pkcs12 encoded certificate into the other node