Knowledge Search


×
 

[STRM/JSA] Example: Create a Certificate Signing Request (CSR) to request a signed SSL certificate

  [KB30789] Show Article Properties


Summary:

To request a signed SSL certificate from a certificate authority, a CSR file must be provided. This article provides the steps on how to create a signed SSL cert on JSA appliances. The steps to implement the signed certificate on the JSA device is included too.

Solution:

Note: The following example is for appliances which have the WebUI access enabled and specifically with 2014.8 version code. Changes in more recent code have been noted below.  This corresponds to JSA console and AIO installations. Other installation options, such as EP, FP, EC, FC, EP-FP combo, do not require a signed SSL certificate since they do not have WebUI access. 

For more information on this example, refer to the section SSL Certificate Replacement in the Administration guide.

  1. To start the creation of the CSR file, run the following command; changing the values as required:
    # openssl following -nodes -newkey rsa:bits_value -keyout arg -out [arg]

    Example: openssl req -nodes -newkey rsa:2048 -keyout this_server.key -out CSR_key.csr
    where CSR_key.csr is the name of the file

  2. Right after running this command a form will be displayed. Fill it out accordingly.
    Example:

    [root@JSA_3800]# openssl req -nodes -newkey rsa:2048 -keyout this_server.key -out CSR_key.csr
    Generating a 2048 bit RSA private key
    ..........................+++
    .............................+++
    writing new private key to 'this_server.key'

    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:US
    State or Province Name (full name) []:California
    Locality Name (eg, city) [Default City]:Sunnyvale
    Organization Name (eg, company) [Default Company Ltd]:Juniper
    Organizational Unit Name (eg, section) []:JSA
    Common Name (eg, your name or your server's hostname) []:VJSA
    Email Address []:JSAkb@juniper.net

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:JuniperNetworks!
    An optional company name []:jnpr
    [root@JSA_3800_]#

  3. Then move to the directory /etc/pki/tls/ to find the newly generated CSR file:
    [root@JSA_3800 tls]# ls
    cert.pem certs misc this_server.key openssl.cnf private CSR_key.csr
  4. Send the .csr file to any certificate authority such as VeriSign or Thawte; they will provide the signed SSL certificate.

  5. Once you receive the signed certificate, install it on the JSA device:
    1. Via a root CLI connection, access the appliance where the SSL certificate is to be installed.
    2. Type the following command: /opt/qradar/bin/install_ssl_cert.sh -i (in versions 7.3 and higher the script name changed to install-ssl-cert.sh)
    3. Type the directory path ...
      • a: Of your private/public key file.
        OR
      • b. If you are using an intermediate certificate, type the directory path for your intermediate certificate.

      Note: Do not encrypt the private key when you install or replace an SSL certificate.
    4. Type Y to accept.
    5. Press Enter to continue.
  6. After the signed certificate is installed successfully, proceed to restart the hostcontext service
    service hostcontext restart

    For versions of code 7.3 and higher, use the command 'systemctl restart hostcontext'.  The SSL certificate will be implemented on the JSA appliance.  

 

Modification History:
2019-08-28: Corrected the restart commands to reflect the current software release; additional minor format changes.
2019-10-29: Added clarification, new command/script information for 7.3 code, removed old links to docs.
Related Links: