Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Generating a CSR in SRX using J-Web



Article ID: KB36786 KB Last Updated: 31 May 2021Version: 1.0

This article demonstrates how to generate a PKCS10 certificate signing request (CSR) and load the signed certificate in SRX devices by using J-Web. 


When a certificate has to be signed by the CA, the first step is to generate a CSR either within the SRX device or externally. This article shows how a CSR is generated within the SRX device by using J-Web.

Upon receiving the CSR, the CA will verify the information supplied by the entity or the user and generate an X.509 certificate. After that, the certificate is signed digitally by the CA.

The following items are provided by the CA upon successful signing:

  • Root CA certificate

  • Intermediate CA certificate (if any)

  • Signed Local certificate or End Entity certificate

  • CRL (Optional)

Note: SRX devices support the certificate only in .pem format. So, if the CA provides the certificate in any other format, it must be converted externally to PEM. For more information, refer to KB33506 - [SRX] Adding a P12/PKCS12 format certificate with Private Keys to an SRX device.

J-Web Procedure

This procedure has been executed on SRX1500 device that is running Junos OS version 20.2R1.10.

Step 1: Generating the CSR in the SRX Device

  1. Log in to the SRX device via J-Web. 

  2. Navigate to Administration > Certificate Management > Device Certificates and click the "+" icon. 

  3. Under Certificate Type, select Local Certificate and provide the Certificate ID as any text string of your choice and a Key Size. Fill in the remaining necessary information. 

  4. Click OK. The Status will now show as Pending Signing and the Signature Status will be CSR. (Click CSR to download the generated request).

Step 2: Loading the Signed Local Certificate or End Entity Certificate 

  1. Navigate to Administration > Certificate Management > Device Certificates and click Pending Signing.

  2. Under the File path for Certificate, select the signed End Entity certificate provided by your CA. 

  3. Click OK. Now the Status will be displayed as Expires in xx day(s) and Signature Status as Signed

Step 3: Loading the Root CA Certificate

  1. Navigate to Administration > Certificate Management > Certificate Authority Group and click Import.

  2. Choose CA Group Name as any text string. File path for CA Group should be your Root CA certificate. 

  3. Click OK and you will be notified with a success message.

  4. The procedure is the same for loading the Intermediate CA certificate. Only CA Group Name will differ and you will need to load the Intermediate CA certificate.

Common Troubleshooting Steps

 "Failed to import the device certificate" is a generic error message, which can occur due to various reasons. To determine the reason for the failure, PKI traceoptions must be configured in the SRX device.​​

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search