Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to load a PKI X.509 certificate using J-Web for secure web access



Article ID: KB36784 KB Last Updated: 24 May 2021Version: 1.0

This article demonstrates how to load a PKI X.509 certificate when a certificate signing request (CSR) is generated externally for secure web access using J-Web.


When a certificate has to be signed by the CA, the first step is to generate a CSR either within the SRX device or externally. This article assumes that the CSR is generated externally and that it has been sent to the CA to get the signed certificate. 

Upon receiving the CSR, the CA will verify the information supplied by the entity or the user and generate an X.509 certificate. After that, the certificate is signed digitally by the CA. 

The following items are provided by the CA upon successful signing:

  • Root CA certificate

  • Intermediate CA certificate (if any)

  • Signed Local certificate or End Entity certificate

  • Private Key

  • CRL (Optional)

  • Passphrase

Note: The SRX device supports the certificate only in the .pem format. So, if the CA provides the certificate in any other format, it must be converted externally to PEM. For more information, refer to KB33506 - [SRX] Adding a P12/PKCS12 format certificate with Private Keys to an SRX device.

J-Web Procedure

This procedure has been tested on an SRX1500 device that is running Junos OS Release 20.2R1.10.

Step 1: Loading the Local Certificate or End Entity Certificate

  • Log in to the SRX device by using J-Web.

  • Navigate to Administration > Certificate Management > Device Certificates and click Import.

  • Select the Type as Externally Generated Certificate and Certificate ID as any text string that you want. File path for Certificate should be your End Entity certificate signed by your CA; File path for Private Key should be your Private Key; and Passphrase should be the password provided by your CA. 

  • Click OK. You should receive a message, stating that the device certificate was successfully imported.

Step 2: Loading the Root CA certificate

  • Navigate to Administration > Certificate Management > Certificate Authority Group and click Import.

  • Select CA Group Name as any text string. File path for CA Group should be your Root CA certificate.

  • Click OK. You will then be notified with a success message.

  • The procedure is the same for loading the Intermediate CA certificate; the only difference is that you have to give a different CA Group Name and should load the Intermediate CA certificate.

Step 3: Configuring J-Web to Use the Loaded Certificate

  • Navigate to Configure > Device Settings > Basic Settings > Management Access Configuration and select Services

  • Under Services, you will find HTTPS Certificate and PKI Certificate.

  • In the HTTPS Certificate section, use the drop-down list to select pki-local-certificate and in the PKI Certificate section, use the drop-down list to select the appropriate Certificate ID. 

  • After you have made your selection, click Save and Commit.

Step 4: (Optional) Loading the CRL

  • Navigate to Administration > Certificate Management > Trusted Certificate Authority. Select the check box for the required CA Profile and click Import

  • Your selected CA should be highlighted in the CA Profile Name. Select your CRL file under File Path for CRL

  • Click OK and the CRL will be successfully loaded.


Common Troubleshooting Steps

  • One of the common error messages that you may see while loading the certificate via J-Web is "Please select a valid Certificate/Private Key file, such as abc.pem". If you receive this error message, it means that the certificate or the private key or both have been loaded in a different format than PEM. 

  • Although you provided both the certificate and the private key in PEM format, you may receive the error "Failed to import the device certificate". This is a generic error message and can be due to various reasons. In order to determine the reason for the failure, PKI traceoptions must be configured in the SRX device. 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search