Can't import the certification to USG9000 firewall

Created: Aug 24, 2018 05:42:15Latest reply: Aug 25, 2018 01:57:28 963 2 0 0 0

Issue Description

After changed of MGMT IP at USG9500s, user generated new PKI certificate at same CA, deleted old certificate, uploaded new certificate, but new certificate failed to upload.It show error that certificate is not valid.

Handling Process

There are two scenarios to satisfy customer needs. Now customer is using the first Scenario as below. But as we check customer’s file, they did not generate “Certificate Request File” from that two firewalls which we logon, I am not sure whether the customer has deleted it, or the certificate file is not for this firewall.
71d962de6a8947bfa59c14fd0246f1df @huawei.com>@servionica.ru>@huawei.com>@huawei.com>

Solution

There are three firewalls, A, B, C, you can apply certificate as below scenarios for every firewall.

Scenario 1:
1. Generate the “Certificate Request File” on the firewall A, send the “Certificate Request File” to the CA organization and apply for the certificate.
Note: When you generate “Certificate Request File”, you must write “Common Name (CN)” as the IP address which you login GUI.
2.    The CA server will generate the a “Local Certificate” with the suffix *.cer.
3.    Download the “Local Certificate” and “CA Certificate” from CA server. (CA server has an “CA Certificate” itself which do not need to generate.)
4.    As I checked your certificate, it generated by “XXX-CA-main”, please be sure your PC trust this publisher.
4.    Upload “Local Certificate” to firewall “Local Certificates”.
       3d60978b1b98445d9fc93df781e47bf5
5.    Upload “CA Certificate” to firewall “CA Certificates”.
       a99a10116b70434cbfe8ae41868a448a
6.    Apply certificates for B and C firewall via the same way and install certificates on B and C.

Scenario 2:( Recommended)
1. Generate “Local Certificate” directly on CA server with the suffix *.p12 or *.pem format.
Note: When you apply Certificate and write your device information, you must write “Common Name (CN)” as the IP address which you login firewall GUI.
2. Download the “Local Certificate” and “CA Certificate” from CA server. (CA server has an “CA Certificate” itself which do not need to generate.)
3. Please be sure your PC trust this publisher “XXX-CA-main”.
4. Upload “Local Certificate” to firewall “Local Certificates”.
5. Upload “CA Certificate” to firewall “CA Certificates”.
6. Apply certificates for B and C firewall via the same way and install certificates on B and C.

Note: Actually, if the publisher is trusted by your PC, you do not need to upload CA certificate to firewall and PC. But the publisher is not trusted by your pc, you must upload CA certificate to firewall and PC.