IBM Security Guardium

Hello Experts, Hope all is well at your side.

I need an guidance on "Guardium GUI Certificate". actually, we have around 10 Appliances on which we required GUI Certificate to be signed by CA. However, I have created CSR request only on 1 appliance & added other appliances hostnames under "SAN". Now, my question is, will I be able to insert single CA signed certificate to other appliances as well ? since, they do not have CSR request generated under them ...? Is there any way around OR Do I need to generate CSR request for each appliance & get it signed by CA and then insert it to individual appliance.  

Can anyone please assist me in this scenario. With Many Thanks!

Hello Experts, Hope all is well at your side.

I need an guidance on "Guardium GUI Certificate". actually, we have around 10 Appliances on which we required GUI Certificate to be signed by CA. However, I have created CSR request only on 1 appliance & added other appliances hostnames under "SAN". Now, my question is, will I be able to insert single CA signed certificate to other appliances as well ? since, they do not have CSR request generated under them ...? Is there any way around OR Do I need to generate CSR request for each appliance & get it signed by CA and then insert it to individual appliance.  

Can anyone please assist me in this scenario. With Many Thanks!

Dear Mark, Thank you for sharing the info.

However, I have few doubts here, for example, I have created CSR on single appliance with wild cards , However, while Importing CA Signed certificate to other appliance, it saying that "

==================================================================================================

However, upon selecting below option it is asking to Insert "PRIVATE KEY" - But, I am not sure about which Private key I should Insert here ...?

Could you please help me with this dilemma. I really appreciate your support in this regard. 

Hello Experts, Hope all is well at your side.

I need an guidance on "Guardium GUI Certificate". actually, we have around 10 Appliances on which we required GUI Certificate to be signed by CA. However, I have created CSR request only on 1 appliance & added other appliances hostnames under "SAN". Now, my question is, will I be able to insert single CA signed certificate to other appliances as well ? since, they do not have CSR request generated under them ...? Is there any way around OR Do I need to generate CSR request for each appliance & get it signed by CA and then insert it to individual appliance.  

Can anyone please assist me in this scenario. With Many Thanks!

Hello Experts, Hope all is well at your side.

I need an guidance on "Guardium GUI Certificate". actually, we have around 10 Appliances on which we required GUI Certificate to be signed by CA. However, I have created CSR request only on 1 appliance & added other appliances hostnames under "SAN". Now, my question is, will I be able to insert single CA signed certificate to other appliances as well ? since, they do not have CSR request generated under them ...? Is there any way around OR Do I need to generate CSR request for each appliance & get it signed by CA and then insert it to individual appliance.  

Can anyone please assist me in this scenario. With Many Thanks!

Hi Akash,

While you can use 1 certificate for multiple Guardium appliances, there's a special way to do that which is not how you've started.  The method you've started with would require a unique certificate for each box, as the private side of each is stored uniquely on each box, when the CSR is created, and is not something you can extract and share. 

If you must do one certificate for all, you'll need to generate the certificate outside of Guardium, with the wildcard CN (*.yourdomain.com), save the private and public keys separately, and load in the following order: the CA's public cert (and any in chain to what signed your cert), and then the public and private keys for the cert for the Guardium appliances as generated elsewhere. 

This process will be: 

• store certificate keystore trusted [console | external]
  
  • save the CA trusted cert, and any others in chain that signed what you're going to use as a cert
• store certificate privatekey gui [console | external]
  • save the private key that you've generated outside of Guardium for what will be your gui-cert, including a CN of *.your.domain.com 
• store certificate gui console
  • save the signed public key to the pair you've generated outside of Guardium with the CN of *.your.domain.com
• restart gui

Note:

Certificates and private keys must be in PEM format.

Certificates start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----"

Private keys start with "-----BEGIN RSA PRIVATE KEY-----" and end with "-----END RSA PRIVATE KEY-----"

Honestly, it's more straightforward to create a csr on each system, and sign it by your CA, but if you really need to do one wildcard cert for all, it's possible.

Hello Experts, Hope all is well at your side.

I need an guidance on "Guardium GUI Certificate". actually, we have around 10 Appliances on which we required GUI Certificate to be signed by CA. However, I have created CSR request only on 1 appliance & added other appliances hostnames under "SAN". Now, my question is, will I be able to insert single CA signed certificate to other appliances as well ? since, they do not have CSR request generated under them ...? Is there any way around OR Do I need to generate CSR request for each appliance & get it signed by CA and then insert it to individual appliance.  

Can anyone please assist me in this scenario. With Many Thanks!