Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos Space] Generating a replacement web Certificate for Junos Space CSR or Self-signed

0

0

Article ID: KB29266 KB Last Updated: 30 Jun 2020Version: 3.0
Summary:

This article describes how to create a replacement Certificate for Junos Space.  

Options:

  • Certificate Signing Request (CSR) for your Certificate Authority (CA) to sign
  • Self-signed certificate
Symptoms:

Untrusted certificate errors on web browser

Solution:

To avoid web browser errors for untrusted certificates, a certificate needs to be created and signed by a Certificate Authority (CA). This can be a CA within your organization or a public CA. For a completely trusted certificate. it must be signed by a trusted CA, not self-signed.

Follow the steps below to A) generate the certificate signing request file OR B) generate a self-signed certificate. Then following the steps in C) to apply the certificate to Space.
 

A. To generate the certificate signing request file (CSR):

  1. Pick the system to generate the certificate on, e.g., a system that has openssl cli.
  2.  Download CSR request config file
    • Transfer the config file to the system with openssl, if needed.
    • It is recommended to use a "working" directory to keep the files together; however, it can be any directory name.
      Example:
      mkdir /home/admin/certificate
      cd /home/admin/certificates
  3. Extract the CSR request file:
    tar zxf KB29266_CSR_RequestFile.tgz
  4. Edit config file  "cert-req.conf'  with an editor of your choosing and do the following:
    1. Update the Country, State, Locality, Organization, Common Name, Email with the correct values.
    2. Update the IP.1 field with the web IP address.  (This may or may not be retained, depending on the CA.)
    3. Uncomment "DNS.1" by removing the #, and replace 'domain.com' with the DNS name for the system.
    4. Save your changes.
  5. Generate the Certificate:
    openssl req -config cert-req.conf -new -newkey rsa:2048 -sha256 -keyout space_web.key  -out space_web.csr
    Provide a private key password when prompted.
    If desired, view the contents of the CSR for accuracy:
    openssl req -noout -text -in space_web.csr
  6. Forward space_web.csr to the Certificate Authority (CA) to generate the certificate.
OR

B. To generate a Self-Signed Certificate:

If a CA is not available, a self-signed certificate can be used. You will continue to see a self-signed certificate error in your browser, until you trust the certificate used in each PC/browser.

  1. Pick the system to generate the certificate on, e.g., a system that has openssl cli.
  2.  Download CSR request config file
    • Transfer config file to system with openssl if needed
    • It is recommended to use a "working" directory to keep the files together; however, it can be any directory name.
      • Example:
        • mkdir /home/admin/certificate
        • cd /home/admin/certificates
  3. Extract:
    tar zxf KB29266_SelfSignedCert.tgz
  4. Edit config file  "self-config.conf'  with an editor of your choosing and do the following:
    1. Update the Country, State, Locality, Organization, Common Name, Email with the correct values.
    2. Update the IP.1 field with the web IP address.  (This may or may not be retained, depending on the CA.)
    3. If a server DNS name has been configured, uncomment "DNS.1" by removing the #, and replace 'domain.com' with the DNS name for the system.
    4. Save your changes
  5. Generate the Certificate
    • openssl req -x509 -days 365 -newkey rsa:2048 -keyout space_self_cert.key -out space_self_cert.pem -config self-config.conf -sha256
    • Duration is set to 1 year (365 days).  Longer duration will be rejected by MacOS
    • Provide a private key password when prompted
    • If desired, view the contents of the CSR for accuracy
      • openssl req -noout -text -in space_self_cert.pem
  6. Apply space_self_cert.key and space_self_cert.pem to the system.



C. Apply Certificate to Space:

  1. Once you have the signed certificate, upload and install it on Junos Space.
    1. Provide the password for the private key created above when uploading the certificate to space
    2. If upload to space fails, attempt removing password from the private key (provide password when prompted)
      • openssl rsa -in space_web.key -out space_web_nopass.key
Modification History:
2020-06-30:  Updated the instructions for generating a CSR or self-signed certificate.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search