Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] NSM TLS Certificate FAQ

0

0

Article ID: KB14948 KB Last Updated: 18 Oct 2020Version: 2.0
Summary:
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
Starting with the 2008 version, NSM uses a certificate to communicate between NSM Gui and Server
Symptoms:
TLS Certificate expired on 20th July 2009. What is this certificate used for?
Solution:
The TLS certificate on NSM Client and NSM Server expired on 20th July 2009 - To obtain the new certificate refer to KB14842


Related questions regarding the TLS Certificate:
  • Why did is the private key in the certificate included in the update zip file?
    The private key is included since the server uses a Self-Signed certificate and it needs a private key for decryption and validation.
  • Are all server.pem files shipped with NSM the same or are they generated for each NSM server during the install?
    They are the same and not generated dynamically per installation.
  • Did the CA certificate or the Self-Signed certificate expire?
    Both the Self-Signed certificate and CA certificate expired on 20th July 2009.
  • Is Juniper replacing everyone with the same key pair?
    Yes
  • Is the system vulnerable since the key pair has been made available to all?
    No.  There is both an application layer security and transport layer security involved in communication between Client and Server.

    TLS is just a transport layer security;  there is an application level security which is the NSM’s username/password mechanism. Once a session establishes all communication is again binary format and NSM uses proprietary data structures for all further communication. .

    GUI-Server connection is TLS based. So RSA certs are used for authentication and to generate a key per session which is always unique for each new session. So in effect these RSA certs are not used for full lifetime of the session but it is only used in initial handshaking for authentication and symmetric key exchange.
  • How do we generate a Self-Signed Certificate for communication between NSM Client and Server?
    Refer to KB14949 (CSC login required) for more instruction on how to generate a Self-Signed cert between NSM Client and Server
Modification History:
2020-10-18: Tagged article for EOL/EOE.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search