Use custom server certificates for communication with the failover web console

When setting up secure communication between the nodes in your cluster, each node will need a certificate that proves its identity. These certificates are created using PKI (Public Key Infrastructure), a system that uses public and private keys to establish trust and security.

Without certificates that are trusted by both nodes, your connection is not secure.

During configuration, the wizard generates a server certificate that encrypts the communication with the failover web console. If you want to encrypt the connection to the failover web console with a custom certificate (your enterprise PKI or commercial PKI), you can do that after you have configured the failover cluster with HTTP.

Requirements

You need the following files:

File

Description
Server certificates

You need a server certificate for each node in the .crt format signed by the root or intermediate CA certificate. Make sure each client certificate contains the following Subject Alternative Name (SAN) details:

  • The hostnames and FQDNs of both nodes as DNS values.

  • The virtual IP of the failover cluster as an IP address value.
Private keys You need the private unencrypted keys of the server certificates.
Client certificates

Client certificates signed by the same root or intermediate CA that you used to sign the server certificates. You can use client certificates in the .pfx or .p12 format that are issued to a specific Windows user. Make sure the client certificates have the following properties:

  • The Key Usage field is set to Client Authentication.

  • The name of the Windows user in the Common Name subfield under the Subject field.
A CA certificate You need the root or intermediate CA certificate for signing the server and client certificates. It must be an X.509 certificate in the .pem format.

Install the CA certificates

You need a CA certificate that signs the server certificates.

  1. On Node 1, rename the CA certificate for the servers to cacert.crt.

  2. Rename the CA certificate for the clients to clcacert.crt.

  3. Copy the cacert.crt certificate file and paste it to C:\Program Files\Milestone\XProtect Management Server Failover\safekit\conf.

  4. Copy the clcacert.crt certificate file and paste it to C:\Program Files\Milestone\XProtect Management Server Failover\safekit\web\conf.

  5. Repeat steps 1-4 on Node 2.

Install the server certificates

To make sure the failover web console knows which certificate to use, you must copy the certificate and its private key to the configuration folder:

  1. On Node 1, rename the server certificate to server.crt and the private key file to server.key.

  2. Copy the certificate and key files and paste them to C:\Program Files\Milestone\XProtect Management Server Failover\safekit\conf

  3. Repeat step 1 and 2 on Node 2.

Install the client certificates

To connect to the failover console from a computer that is not part of the failover cluster, you need a client certificate.

  1. Double-click on the certificate to start the installation wizard.

  2. Select to import the certificate in the store of the Current User and click Next.

  3. Specify the password for the certificate and click Next.

  4. Select Place all certificates in the following store and click Browse. Then, select the Personal store.

  5. On the Completing the Certificate Import Wizard dialog, select Finish.

  6. Verify that the server certificate is listed in the center view of the Personal subtree.

After you have completed these steps, try logging in to the failover web console.

If you are not able to log in to the console, verify that you have added the necessary exceptions to your Windows Firewall. See Ports used by XProtect Management Server Failover services and modules.