How to enable two-way SSL authentication between master and backup server

Good Day IA Community:

I am trying to enable two-way SSL authentication between master and backup sever. I am confused as to the format type I should export the certificate.

According to the user manual:

It seems like an easy process. I am using KeyStore Explorer to export the metro-key but confused as to the export format to use and also if there are any more steps to do after copying it to the file path as stated in the user manual and also enabling "Require Two Way Auth" in the gateway.

Please assist
Thank You

🔐 Enabling Two-Way Authentication on a Redundant Pair

Step 1: Backup Both Gateways

Create Ignition Gateway backups before making any changes.

  • Go to Config > Backup/Restore
  • Click Download Backup

Step 2: Export SSL Certificates

Run the following commands on each machine to export the SSL certificate:

Windows:

"C:\Program Files\Inductive Automation\Ignition\lib\runtime\jre-win\bin\keytool.exe" ^
 -exportcert -keystore "C:\Program Files\Inductive Automation\Ignition\webserver\metro-keystore" ^
 -alias metro-key -file remote-gateway-cert.cer -storepass metro

Linux:

cd /usr/local/bin/ignition/lib/runtime/jre-nix/ &&
keytool -exportcert -keystore /usr/local/bin/ignition/webserver/metro-keystore \
-alias metro-key -file remote-gateway-cert.cer -storepass metro

You can rename remote-gateway-cert.cer to something meaningful, like project-001.cer.

Step 3: Distribute Certificates

Copy both certificate files to this directory on both machines:

<installdir>/data/gateway-network/client/security/pki/trusted/certs

This ensures redundancy during failover or re-sync operations.

Step 4: Enable Two-Way Authentication

  • On the Master Gateway, go to: Config > Networking > Gateway Network
  • Enable Require Two Way Auth
  • Click Save Changes at the bottom

The connection may briefly disconnect but should auto-recover.

✅ Step 5: Success!

Two-way authentication is now active between your Master and Backup Gateways.