Knowledge Center Search


 

[ScreenOS] How to change the certificate that is used for SSL (HTTPS) WebUI Management

  [KB11496] Show KB Properties

  [KB11496] Hide KB Properties

Categories:
Knowledge Base ID: KB11496
Last Updated: 31 Jan 2013
Version: 6.0

Summary:
This article provides information on how to change the certificate that is used for SSL (HTTPS) WebUI Management.

Problem or Goal:
Starting from ScreenOS 5.1, the firewall creates its own self-signed certificate, which is used for SSL (HTTPS) WebUI management. Customers may want to use their own certificate, which is signed by their own CA (Certificate Authority).

Cause:

Solution:
  1. Load the CA certificate on the firewall.

  2. Generate a PKCS certificate request for the CA to sign.

  3. Load the local certificate on the firewall.

  4. Via the WebUI, go to Configuration > Admin > Management and change the certificate from Default - System Self-Signed Cert to the Local certificate.

  5. Via the CLI, use the following commands:
    get pki x509 list local-cert
    get pki x509 cert <ID num>
    set ssl cert-hash <subject name hash>
    
    For example:
    ssg5-v92-wlan-> get pki x509 list local-cert
     
    Getting LOCAL CERT ...
    IDX  ID num     X509 Certificate Subject Distinguish Name
    ================================================================================
    0000 233832475  LOCAL CERT friendly name <27>
                    CN=ssg5,CN=ssg5-v92-wlan.jnpr.net,CN=rsa-key,CN=016805200700
                    1695,OU=support,O=juniper,C=US,
                    Expire on 05-08-2009 20:03, Issued By:
                    CN=JTAC,OU=Juniper,OU=net,
    ================================================================================
     
     
    ssg5-v92-wlan-> get pki x509 cert 233832475
    -001 233832475  LOCAL CERT friendly name <27>
                    CN=ssg5,CN=ssg5-v92-wlan.jnpr.net,CN=rsa-key,CN=016805200700
                    1695,OU=support,O=juniper,C=US,
                    Expire on 05-08-2009 20:03, Issued By:
                    CN=JTAC,OU=Juniper,OU=net,
    Serial Number: <6132536c000000000002>
    subject alt name extension:
    email(1): (empty)
    fqdn(2): (ssg5-v92-wlan.jnpr.net)
    ipaddr(7): (empty)
    no renew
    finger print (md5) <da98859d c567dd63 acb3d3d3 ce4c9399>
    finger print (sha) <3ba4a8ff 615ac1cc 80da98fd 9bec017a ba1aa61d>
    subject name hash: <24290b21 3a02baef a29c380d 739f60b6 3c1f54f5>
    obj type: <1>
    use count: <1>
    flag <00000000>
     
    ssg5-v92-wlan-> set ssl enable
    ssg5-v92-wlan-> set ssl encrypt "rc4" "md5"
    ssg5-v92-wlan-> set ssl cert-hash "24290B213A02BAEFA29C380D739F60B63C1F54F5"

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.