Installing a Certificate on a NetScreen Device

  [KB4777] Show Article Properties


Summary:

Installing a Certificate on a NetScreen Device

Symptoms:


 

Cause:

Solution:

Note: This article applies to ScreenOS 5.0 and higher.

Once the Certificate Authority has verified and certified the information, a Digital Certificate will be generated. Typically, three files will be retrieved from the Certificate Authority:

  • Digital certificate for the device, referred to as a Local Certificate
  • CA Certificate
  • CRL Certificate

To install a certificate on a Juniper Firewall device, perform the following steps:

Step one: Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI


Step two: From the ScreenOS options menu, click Objects, and then click Certificates.

Image of step two
 

Step three: To load the Local Certificate: From the Show drop-down menu, click to select Local. To locate the file sent from the Certificate Authority and saved on the Administrative Client, click Browse. Select the file, and then click Load.

Image of step three
 

note: Your Local Certificate will look similar to the image below.

Image of note
 

Step four: To load the CA Certificate: From the Show drop-down menu, click to select CA. To locate the CA Certificate file stored on the Administrative Client, click Browse. Select the file, and then click Load.

Image of step four
 

Step five: To load the CR: From the Show drop-down menu, click to select CA. From the Load radio button, click to select CRL. To locate the CRL file, click Browse. Select the file, and then click Load.

Image of step five
 

note: The loaded CA and CRL Certificates will display similar to the image below.

Image of note
 

note: If the Local Certificate appears as Type CA, or if there is difficulty in loading the certificate, most likely this is due to the domain field not being configured. If this is the case, add the hostname and domain on the NetScreen device and begin the key generation process over. One of the fields on the certificate request may need to be modified to identify this as a new certificate request to the CA.

This completes the generating and installation of certificates for the NetScreen device.

Step six: Now you are ready to generate a certificate on the NetScreen-Remote Client. For more information, go to Generating a Certificate on a NetScreen-Remote Client

CLI:

The certificate can also be installed via the CLI. For this, a TFTP server is required and the signed certificate and CRL have to be loaded to TFTP.

The commands are as follows:

exec pki x509 tftp <ip-address> cert-name certnew.cer
exec pki x509 tftp <ip-address> crl-name distrust.crl

To check the certificates that are installed on the firewall, use the following commands:

  • The command to check the local certificates is get pki x509 list local-cert.

  • The command to check CA certificates is get pki x509 list ca-cert.

  • The command to check CRL is get pki x509 list crl.

  • The command to check all X509 certificates is get pki x509 list cert.
Related Links: