Georedundancy Certs
The following instructions are specific to DC2 in a Georedundant configuration.
TLS Certs (DC2)
Any certificates entered for DC1 still display here. If DC2 has different certificates, then enter those certificates instead.Verify the configurations on the screen are correct, then check the Status dropdown and wait for Node Status to turn green before proceeding to the next screen.Note: If you advance to the next screen before Node Status turns green, an error message may display. If this occurs, wait for Node Status to turn green, and the error will resolve itself.
To generate certs for georedundancy
1. Log in to the DC1 ICE OS Configuration Wizard.
2. Navigate to the Server Certificate page and enable Generate Self-Signed Certificate Authority.
3. Click Apply (bottom-left).
4. Navigate to the Server page.
5. In the Cluster Ingress Hostname field, enter: https://YourDC1ServerFQDN.com
6. In Geo Server, enter https://YourDC2ServerFQDN.com
7. Click Apply.
A message notifies you that the certificate and key have been generated.
A message notifies you that the certificate and key have been generated.
8. To create DC2 certs from DC1's root CA:
A. In the left menu, click Server Certificate
B. Click "Show Self-Signed Certificate Chain"
C. Download the certificates
Note: Always store certificates and keys securely. Do not download the CA private key.
9. Click Apply,
10. Navigate to the Server page
11. Remove the YourDC2ServerFQDN address.
12. Click Apply.
A message notifies you that the certificate and key have been generated.
A message notifies you that the certificate and key have been generated.
13. Navigate to the Finish tab and click Install & Upgrade to apply changes.
To create a full certificate chain for DC2 upload
1. Edit the following files in a text editor:
ice_generated_server.crtice_generated_root_ca.crt2. Copy the entire content of ice_generated_root_ca.crt and paste it below the server cert content inside ice_generated_server.crt. Do NOT click Save.
3. In the text editor, open File > Save as
4. Rename the file new_ice_cert_chain.crt.
5. Ensure File Type is set to All Files and Encoding is set to UTF-8.
This creates a full cert chain in one .crt file, ready for ICE use.
6. Click Save.
To configure DC2
1. Log in to the ICE OS Configuration Wizard on DC2.
2. Navigate to the Server Certificate page.
3. Enable TLS.
4. Optionally, enable TLS Strict Mode (based on FIPS/security requirements).
5. The following file upload options appear:
ICE Server's Private Key: Upload ice_generated_server.crtICE Server's Certificate Chain: Upload new_ice_cert_chain.crt6. Navigate to the Server page and delete the auto-added DC1 FQDN entries.