Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to change the certificate that is used for SSL (HTTPS) WebUI Management

0

0

Article ID: KB11496 KB Last Updated: 27 Jan 2015Version: 8.0
Summary:

This article provides information on how to change the certificate that is used for SSL (HTTPS) WebUI Management.

Symptoms:

Beginning with ScreenOS 5.1, the firewall creates its own self-signed certificate, which is used for SSL (HTTPS) WebUI management. Customers may want to use their own certificate, which is signed by their own CA (Certificate Authority).

Cause:

Solution:
  1. Load the CA certificate on the firewall.
  2. Generate a PKCS certificate request for the CA to sign.
  3. Load the local certificate on the firewall.
  4. Via the WebUI, go to Configuration > Admin > Management and change the certificate from Default - System Self-Signed Cert to the Local certificate.
  5. Via the CLI, use the following commands:
    get pki x509 list local-cert
    get pki x509 cert <ID num>
    set ssl cert-hash <subject name hash>
    
    For example:
    ssg5-v92-wlan-> get pki x509 list local-cert
     
    Getting LOCAL CERT ...
    IDX  ID num     X509 Certificate Subject Distinguish Name
    ================================================================================
    0000 233832475  LOCAL CERT friendly name <27>
                    CN=ssg5,CN=ssg5-v92-wlan.jnpr.net,CN=rsa-key,CN=016805200700
                    1695,OU=support,O=juniper,C=US,
                    Expire on 05-08-2009 20:03, Issued By:
                    CN=JTAC,OU=Juniper,OU=net,
    ================================================================================
     
     
    ssg5-v92-wlan-> get pki x509 cert 233832475
    -001 233832475  LOCAL CERT friendly name <27>
                    CN=ssg5,CN=ssg5-v92-wlan.jnpr.net,CN=rsa-key,CN=016805200700
                    1695,OU=support,O=juniper,C=US,
                    Expire on 05-08-2009 20:03, Issued By:
                    CN=JTAC,OU=Juniper,OU=net,
    Serial Number: <6132536c000000000002>
    subject alt name extension:
    email(1): (empty)
    fqdn(2): (ssg5-v92-wlan.jnpr.net)
    ipaddr(7): (empty)
    no renew
    finger print (md5) <da98859d c567dd63 acb3d3d3 ce4c9399>
    finger print (sha) <3ba4a8ff 615ac1cc 80da98fd 9bec017a ba1aa61d>
    subject name hash: <24290b21 3a02baef a29c380d 739f60b6 3c1f54f5>
    obj type: <1>
    use count: <1>
    flag <00000000>
     
    ssg5-v92-wlan-> set ssl enable
    ssg5-v92-wlan-> set ssl encrypt "rc4" md5
    ssg5-v92-wlan-> set ssl cert-hash "24290B213A02BAEFA29C380D739F60B63C1F54F5"

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search