Knowledge Search


×
 

[ScreenOS] How to manually generate a new system self-signed certificate to replace the expired system self-signed certificate without resetting the firewall

  [KB16739] Show KB Properties

  [KB16739] Hide KB Properties

Categories:
Knowledge Base ID: KB16739
Last Updated: 03 Feb 2016
Version: 5.0

Summary:

This article provides information on how to manually generate a new system self-signed certificate to replace the expired system self-signed certificate, without resetting the firewall.

Symptoms:

The system self-signed certificate has expired and when a new one is manually generated, it still shows the expired date.

Cause:
 

Solution:

The process to automatically generate a new system self-signed certificate is to delete the expired system self-signed certificate and then reset the device. A new system self-signed certificate will be automatically generated when the device comes back up.

However, in certain operating environments, resetting the firewall is not an option. In such cases, the process to manually generate a new system self-signed certificate, without resetting the firewall, is provided in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03, in the "Manually Creating Self-Signed Certificates" section.

However, prior to performing this procedure, you have to delete the expired system self-signed certificate:

delete pki object-id system
When the deletion is complete, perform the following procedure, as mentioned in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03:
  1. Define the certificate attributes:
    set pki x509 dn name 4ssl
    set pki x509 dn org-name abc123
    set pki x509 cert-fqdn www.abc123.com
    save
  2. Generate the public/private key pair. To generate a public/private key pair, which the Juniper Networks security device uses in its certificate request, use the following command:
    exec pki rsa new-key 2048
    After the security device generates a key pair, it composes the following certificate request:
    -----BEGIN CERTIFICATE REQUEST-----
    MIIB0jCCATsCAQAwZTENMAsGA1UEChMESk5QUjEZMBcGA1UEAxMQMDA0MzAyMjAw
    MjAwMDE4NjEQMA4GA1UEAxMHcnNhLWtleTEYMBYGA1UEAxMPd3d3Lmp1bmlwZXIu
    bmV0MQ0wCwYDVQQDEwQ1c3NsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP
    aAtelkL4HxQmO1w1jv9NMmrWnzdVYnGrKrXnw2MaB3xEgouWrlymEkZetA2ouKeA
    D24SL0h1YvJ7Sd9PvkhwHOnvP1zkOCWA84TgvxBzcAyeBnS1UpSwcC0admX0Da6T
    80EUuGrmUWodddRFUc8o5d2VGTUOM7WgcFDZRSGQGwIDAQABoC0wKwYJKoZIhvcN
    AQkOMR4wHDAaBgNVHREEEzARgg93d3cuanVuaXBlci5uZXQwDQYJKoZIhvcNAQEF
    BQADgYEAgvDXI4H905y/2+k4omo9Y4XQrgq44Rj3jqXAYYMgQBd0Q8HoyL5NE3+i
    QUkiYjMTWO2wIWzEr4u/tdAISEVTu03achZa3zIkUtn8sD/VYKhFlyPCBVvMiaHd
    FzIHUgBuMrr+awowJDG6wARhR75w7pORXy7+aAmvIjew8YRre9s=
    -----END CERTIFICATE REQUEST-----
    To learn the ID number for the key pair, use the following command:
    get pki x509 list key-pair

    Getting OTHER PKI OBJECT ...
    IDX ID num X509 Certificate Subject Distinguish Name
    ========================================================
    0000 176095259
    CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
    O=jnpr,
    ========================================================
  3. Generate the self-signed certificate. Use the following command, which references the key-pair ID number that was learned from the output of the previous command:
    exec pki x509 self-signed-cert key-pair 176095259 (from output of previous command)
    To view the newly created self-signed certificate, use the following command:
    get pki x509 list local-cert

    Getting LOCAL CERT ...
    IDX ID num X509 Certificate Subject Distinguish Name
    ========================================================
    0000 176095261 LOCAL CERT friendly name <29>
    LOCAL CERT friendly name <29>
    CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
    O=jnpr,
    Expire on 10-19-2009 17:20, Issued By:
    CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
    O=jnpr,
    ========================================================
    To view the certificate in more detail, run the following command by using the ID number of the certificate:
    get pki x509 cert 176095261 (from output of previous command)

    -0001 176095261 LOCAL CERT friendly name <29>
    CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
    Expire on 10-19-2009 17:20, Issued By:
    CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
    Serial Number: <9d1c03365a5caa172ace4f82bb5ec9da>
    subject alt name extension:
    email(1): (empty)
    fqdn(2): (www.juniper.net)
    ipaddr(7): (empty)
    no renew
    finger print (md5) <be9e0280 02bdd9d1 175caf23 6345198e>
    finger print (sha) <87e0eee0 c06f9bac 9098bd02 0e631c1b 26e37e0e>
    subject name hash: <d82be8ae 4e71a576 2e3f06fc a98319a3 5c8c6c27>
    use count: <1>
    flag <00000000>
    You can copy the subject name and fingerprint from this output and communicate it to other administrators who intend to use SSL when managing the security device. When they initiate an SSL connection, they can then use this information to ensure that the certificate they receive is indeed from the security device.

  4. Assign the certificate for use with SSL.To assign the new system self-signed certificate for use with HTTP for SSL, refer to KB11496 - How to change the certificate used for SSL (HTTPS) WebUI Management:
    set ssl enable
    set ssl encrypt "rc4" md5
    set ssl cert-hash "d82be8ae4e71a5762e3f06fca98319a35c8c6c27"
    (from hash of previous command)
    To verify this last step:
    get ssl
    web SSL enable.
    web SSL port number(443).
    web SSL cert: initialized.
    Subject DN(CN=self-signed,CN=4ssl,CN=www.abc123.net,CN=rsa-key,CN=0043022002000186,O=abc123)
    web SSL cipher(RC4_MD5).

Purpose:
Implementation

Related Links:

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.