Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Installing a Certificate on a NetScreen Device

0

0

Article ID: KB4777 KB Last Updated: 25 Feb 2013Version: 7.0
Summary:

Installing a Certificate on a NetScreen Device

Symptoms:


 

Cause:

Solution:

Note: This article applies to ScreenOS 5.0 and higher.

Once the Certificate Authority has verified and certified the information, a Digital Certificate will be generated. Typically, three files will be retrieved from the Certificate Authority:

  • Digital certificate for the device, referred to as a Local Certificate
  • CA Certificate
  • CRL Certificate

To install a certificate on a Juniper Firewall device, perform the following steps:

Step one: Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI


Step two: From the ScreenOS options menu, click Objects, and then click Certificates.

Image of step two
 

Step three: To load the Local Certificate: From the Show drop-down menu, click to select Local. To locate the file sent from the Certificate Authority and saved on the Administrative Client, click Browse. Select the file, and then click Load.

Image of step three
 

note: Your Local Certificate will look similar to the image below.

Image of note
 

Step four: To load the CA Certificate: From the Show drop-down menu, click to select CA. To locate the CA Certificate file stored on the Administrative Client, click Browse. Select the file, and then click Load.

Image of step four
 

Step five: To load the CR: From the Show drop-down menu, click to select CA. From the Load radio button, click to select CRL. To locate the CRL file, click Browse. Select the file, and then click Load.

Image of step five
 

note: The loaded CA and CRL Certificates will display similar to the image below.

Image of note
 

note: If the Local Certificate appears as Type CA, or if there is difficulty in loading the certificate, most likely this is due to the domain field not being configured. If this is the case, add the hostname and domain on the NetScreen device and begin the key generation process over. One of the fields on the certificate request may need to be modified to identify this as a new certificate request to the CA.

This completes the generating and installation of certificates for the NetScreen device.

Step six: Now you are ready to generate a certificate on the NetScreen-Remote Client. For more information, go to Generating a Certificate on a NetScreen-Remote Client

CLI:

The certificate can also be installed via the CLI. For this, a TFTP server is required and the signed certificate and CRL have to be loaded to TFTP.

The commands are as follows:

exec pki x509 tftp <ip-address> cert-name certnew.cer
exec pki x509 tftp <ip-address> crl-name distrust.crl

To check the certificates that are installed on the firewall, use the following commands:

  • The command to check the local certificates is get pki x509 list local-cert.

  • The command to check CA certificates is get pki x509 list ca-cert.

  • The command to check CRL is get pki x509 list crl.

  • The command to check all X509 certificates is get pki x509 list cert.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search