Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] Generating and installing SSL certificate to be used for Secure Web Access

0

0

Article ID: KB19726 KB Last Updated: 13 Mar 2020Version: 5.0
Summary:

This article provides information on generating and installing the SSL certificate to be used for Secure Web Access for the EX Series switch.

HTTPS is the most secured manner of accessing an interface through web management. To access the EX-Series switches through HTTPS, you first require to install a SSL certificate. There are different ways to achieve this goal:
 

  • Generate a custom self signed certificate on the switch. (KB21718)
  • Generate a local certificate on the switch. (system-generated-certificate)
  • Inserting a SSL certificate generated by OpenSSL on a BSD or Linux system
  • Inserting a trust CA certificate by different means.

Note: The first three methods allow you to access Jweb through HTTPS. However, as these are not signed by a Certificate authority (CA), they will not offer additional security features and you may get an "Invalid certificate" alarm in some browsers. For more information see: Generating Self-Signed Digital Certificates

Symptoms:
To access the EX-Series switches through HTTPS.
Solution:

Procedure to generate and install a Linux or BSD SSL certificate on an EX-Series Switches:

  1. Generate an SSL certificate from the Unix server (BSD or Linux  and so on).

    The following OpenSSL command generates a self-signed SSL certificate in the privacy-enhanced mail (PEM) format. It writes the certificate and an unencrypted 1024-bit RSA private key to the specified file. (In this example, the Unix server created a certificate file named test_Cert.pem).

    bash-2.05b$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout test_Cert.pem -out test_Cert.pem
  2. When prompted, type the appropriate information in the identification form. For example, type US for the country name.

  3. Check if the file named test_Cert, pem has been created.

    bash-2.05b$ ls -l test_Cert.pem

    -rw-r--r-- 1 ***** support 2132 Dec 30 21:10 test_Cert.pem
  4. Make sure that this file has the following two sections:

    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
    .and.
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
  5. FTP the PEM format self-signed certificate to the target Switch (In this example, it is copied under /var/tmp directory of the switch).

    Switch@user> file list /var/tmp detail
    /var/tmp/:
    total blocks: 4276224
    -rw-r--r--  1 user  group       1362 Oct 16 11:11 trace_debug
    -rw-r--r--  1 user  group        108 Aug 9   2016 package.log
    -rw-r--r-- 1 juniper wheel      2132 Dec 30 18:51 test_Cert.pem

    Switch@user% exit
  6. Create the local X.509 certificate name (In this sample it is cert_01).

    Switch@user# set security certificates local cert_01 load-key-file /var/tmp/test_Cert.pem
  7. Enable the HTTPS service with the local certificate named cert_01 on the port 443 (default port).

    Switch@user# set system services web-management HTTPS local-certificate cert_01 interface me0.0 port 443
  8. Commit and check the HTTPS under web-management:

    Switch@user# run show configuration system services
    ftp;
    ssh {
        root-login allow;
        protocol-version v2;
    }
    telnet;
    web-management {
        https {
            port 443;
            local-certificate cert_01;
            interface me0.0;
                          }
                }

     
  9. Now you can access J-Web by typing the corresponding link on your browser: https://ip_address_of_me0.0.

Note: To add certificates via J-Web, refer to KB19595

Modification History:

2020-03-13: Updated command in step 5 of the solution.
2020-02-18: Added links to related KB and technical documentation as well as clarification notes other minor shape changes.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search