This article provides information on generating and installing the SSL certificate to be used for Secure Web Access for the EX Series switch.
HTTPS is the most secured manner of accessing an interface through web management. To access the EX-Series switches through HTTPS, you first require to install a SSL certificate. There are different ways to achieve this goal:
- Generate a custom self signed certificate on the switch. (KB21718)
- Generate a local certificate on the switch. (system-generated-certificate)
- Inserting a SSL certificate generated by OpenSSL on a BSD or Linux system
- Inserting a trust CA certificate by different means.
Note: The first three methods allow you to access Jweb through HTTPS. However, as these are not signed by a Certificate authority (CA), they will not offer additional security features and you may get an "Invalid certificate" alarm in some browsers. For more information see: Generating Self-Signed Digital Certificates
Procedure to generate and install a Linux or BSD SSL certificate on an EX-Series Switches:
-
Generate an SSL certificate from the Unix server (BSD or Linux and so on).
The following OpenSSL command generates a self-signed SSL certificate in the privacy-enhanced mail (PEM) format. It writes the certificate and an unencrypted 1024-bit RSA private key to the specified file. (In this example, the Unix server created a certificate file named test_Cert.pem).
bash-2.05b$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout test_Cert.pem -out test_Cert.pem
-
When prompted, type the appropriate information in the identification form. For example, type US for the country name.
-
Check if the file named test_Cert, pem has been created.
bash-2.05b$ ls -l test_Cert.pem
-rw-r--r-- 1 ***** support 2132 Dec 30 21:10 test_Cert.pem
-
Make sure that this file has the following two sections:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
.and.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-
FTP the PEM format self-signed certificate to the target Switch (In this example, it is copied under /var/tmp directory of the switch).
Switch@user> file list /var/tmp detail
/var/tmp/:
total blocks: 4276224
-rw-r--r-- 1 user group 1362 Oct 16 11:11 trace_debug
-rw-r--r-- 1 user group 108 Aug 9 2016 package.log
-rw-r--r-- 1 juniper wheel 2132 Dec 30 18:51 test_Cert.pem
Switch@user% exit
-
Create the local X.509 certificate name (In this sample it is cert_01).
Switch@user# set security certificates local cert_01 load-key-file /var/tmp/test_Cert.pem
-
Enable the HTTPS service with the local certificate named cert_01 on the port 443 (default port).
Switch@user# set system services web-management HTTPS local-certificate cert_01 interface me0.0 port 443
-
Commit and check the HTTPS under web-management:
Switch@user# run show configuration system services
ftp;
ssh {
root-login allow;
protocol-version v2;
}
telnet;
web-management {
https {
port 443;
local-certificate cert_01;
interface me0.0;
}
}
-
Now you can access J-Web by typing the corresponding link on your browser: https://ip_address_of_me0.0.
Note: To add certificates via J-Web, refer to KB19595
2020-03-13: Updated command in step 5 of the solution.
2020-02-18: Added links to related KB and technical documentation as well as clarification notes other minor shape changes.