Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Generating a Certificate on a NetScreen Device

0

0

Article ID: KB4776 KB Last Updated: 20 Dec 2019Version: 7.0
Summary:
This article provides information on how to generate a certificate on a NetScreen device.
Symptoms:
How to generate a certificate on a NetScreen device.
Solution:
Note: This article is applicable to ScreenOS 4.0, 5.0 and 6.0.

To generate a certificate on a NetScreen device, perform the following procedure:

  1. Open the WebUI. For more information on accessing the WebUI, refer to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
  2. From the NetScreen options menu, click Configuration, and then click Date/Time.

  3. From the Date/Time page, click Sync Clock With Client.

    Note: Certificates are very time sensitive; they have active dates and expiration dates. If the clock on your system is not current, you may not be able to build a VPN.
  4. Ensure that the Automatically adjust clock for daylight savings changes option on your computer clock (Date/Time) is enabled, and then click Yes.

  5. From the NetScreen options menu, click Network, and then click DNS.

  6. In the Host Name text box, enter a Host Name. In the Domain Name text box, enter a Domain Name. In the primary DNS server, enter the DNS server IP address.
    Note: These values will be used as peer IDs for IKE exchanges. When the RSA keys have been generated, the values for the hostname and domain must not change.

  7. Click Apply.

    Note: When the clock is in sync and the host/domain names have been configured, the public/private key pair and Public Key Cryptography System file can be generated. This file contains identification information that is sent to the Certificate Server; which in turn generates the certificate for the device.

  8. From the NetScreen options menu, click Objects, and then click Certificates.

  9. Click New.
  10. Complete the following form. Contact your Certificate Authority to identify which fields are required.
    Note: If an e-mail address is not included in the local certificate request, then an e-mail address cannot be configured as the local IKE ID, when configuring the NetScreen device as a dynamic peer. Instead, a Fully Qualified Domain Name (FQDN) can be used, if it is in the local certificate or you can leave the local ID field empty.

    By default, the NetScreen device sends its hostname.domainname. If you do not specify a local ID for a dynamic peer, enter the hostname.domainname of that peer on the device at the other end of the IPSec tunnel in the peer ID field.

    Select the appropriate key pair length. If using the certificate for SSL, be sure to use a bit length that the web browser also supports.

  11. Click Generate.
    A message similar to the one shown below will be displayed:


    When Generate is clicked, a RSA private/public key pair is created. The RSA private key is stored in a secure part of flash; it is not, nor does it need to be viewable.

    The public key, along with the device identity (information from the worksheet). The CSR file is saved in the PC. This information will be given to the Certificate Authority for processing.
  12. Click Save To File.

  13. The file will be saved in the PC.
  14. Submit the file to the Certificate Authority. Please contact your Certificate Authority or Certificate Server vendor for assistance.
    The local certificate will show as not having been created, but the Key Pair is created and ready to be submitted to the Certificate Authority for processing.

    Image of note

  15. Now you are ready to install the certificate on the NetScreen device. For more information, go to KB4777 - Installing a Certificate on a NetScreen Device.

    Via the CLI:

    After this, the Certificate request is published on the CLI and also a mail is to sent to the specified email address.
 

 

Modification History:
2019-12-15: Content reviewed for accuracy; images updated 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search