Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Installing a Certificate on a NetScreen Device

0

0

Article ID: KB4777 KB Last Updated: 13 Mar 2020Version: 8.0
Summary:

Installing a Certificate on a NetScreen Device

Solution:

This article applies to ScreenOS 5.0 and higher.

Once the Certificate Authority has verified and certified the information, a Digital Certificate will be generated. Typically, three files will be retrieved from the Certificate Authority:

  • Digital certificate for the device, referred to as a Local Certificate
  • CA Certificate
  • CRL Certificate

To install a certificate on a Juniper Firewall device using the WebUI, perform the following steps:

  1. Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
  2. From the ScreenOS options menu, click Objects, and then click Certificates.
  3. To load the Local Certificate:
    1. From the Show drop-down menu, select Local.
    2. To locate the file sent from the Certificate Authority and saved on the Administrative Client, click Browse.
    3. Select the file, and then click Load.

      Note: Your Local Certificate will look similar to the image below.

      Image of note
       

  4. To load the CA Certificate:
    1. From the Show drop-down menu, select CA.
    2. To locate the CA Certificate file stored on the Administrative Client, click Browse.
    3. Select the file, and then click Load.
  5. To load the CR:
    1. From the Show drop-down menu, select CA.
    2. From the Load radio button, click to select CRL.
    3. To locate the CRL file, click Browse.
    4. Select the file, and then click Load.

      Note: The loaded CA and CRL Certificates will display similar to the image below.

      Image of note
       

      Note: If the Local Certificate appears as Type CA, or if there is difficulty in loading the certificate, most likely this is due to the domain field not being configured. If this is the case, add the hostname and domain on the NetScreen device and begin the key generation process over. One of the fields on the certificate request may need to be modified to identify this as a new certificate request to the CA.

      This completes the generating and installation of certificates for the NetScreen device.

  6.  Now you are ready to generate a certificate on the VPN Client. 


Via the CLI:

The certificate can also be installed via the CLI. For this, an TFTP server is required and the signed certificate and CRL have to be loaded onto the TFTP server.

The commands are as follows:

exec pki x509 tftp <ip-address> cert-name certnew.cer
exec pki x509 tftp <ip-address> crl-name distrust.crl

To check the certificates that are installed on the firewall, use the following commands:

  • The command to check the local certificates is get pki x509 list local-cert.

  • The command to check CA certificates is get pki x509 list ca-cert.

  • The command to check CRL is get pki x509 list crl.

  • The command to check all X509 certificates is get pki x509 list cert.
Modification History:
2020-03-13: minor non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search