Knowledge Search


×
 

[ScreenOS] Where can I download the Juniper Networks DSA Public Key (imagekey.cer) file, and how do I load/install the imagekey.cer file?

  [KB8729] Show Article Properties


Summary:
All ScreenOS software images bear the Juniper digital signature. The digital signature guarantees the authenticity and integrity of the software you download and use on your Firewall device.

This article contains information on the Image Key download location, how to load the Image Key, how to check if the key is loaded.
Symptoms:
Environment:
  • ScreenOS Image Authentication
  • Integrity of the ScreenOS Image
  • Image Key
Symptoms & Errors:
  • Where can I download imagekey.cer file for firmware authentication?
  • How do I ensure a ScreenOS Image downloaded is not corrupt or has not been compromised?
  • When is the WebUI "Image Key Update" function used?
  • How do I install the Juniper Networks DSA public key or imagekey.cer file?
  • Juniper Networks DSA public key file missing
  • Unable to configure FIPS mode
  • When enabling FIPS mode, the following error message is reported:
    ssg-> set fips-mode enable
    Juniper Networks DSA public key file missing.
    This is required for image authentication.
    Please install it before attempting to enable FIPS mode
Solution:
A.  The ScreenOS Image Key (FIPS imagekey.cer certificate / DSA Public Key) can be downloaded from the following locations:
Juniper Network Certifications  or  ScreenOS Enterprise MIBs & Radius Dictionary

Look for the title 'ScreenOS Image Key' and download the file, image_key.zip, which contains 2 files:
imagekey.cer
image_key_readme.pdf


The image_key_readme.pdf also contains instructions for loading the Image Authentication Certificate, checking that the Certificate is installed, and Authenticating a ScreenOS image.
 
Note:  The 'old' digital certificate will expire on November 15, 2008.  While the 'old' certificate will continue to function and will continue to authenticate images past the expiration date, Juniper recommends that customers who are using the feature upgrade to the new certificate in order to ensure proper authentication in the future. 

The imagekey.cer file is the same file for all ScreenOS versions.  It supports ScreenOS version 2.6.1 and greater.

B.  To  install/load the image key on the firewall

  1. Load the imagekey.cer file using the WebUI or CLI

    WebUI
     
    1. Browse to Configuration > Update > ScreenOS/Keys
    2. Select Image Key Update
    3. Browse to or enter the directory path of the downloaded imagekey.cer file
    4. Click Apply

    CLI
    save image-key tftp [location of file] [image key filename]
    Example:
    save image-key tftp 1.1.1.1 imagekey.cer
    Refer to image_key_readme.pdf for instructions on checking that the Certificate is installed.
  2. After the image key is installed, the next time your device boots a ScreenOS image from flash, it uses the authentication certificate to check the ScreenOS signature embedded in the file. The authentication effort produces one of the following two results:
    If the key is installed successfully and the ScreenOS image is valid, the following message is displayed on the console:
    Image authenticated!

    If the Firewall image key cannot authenticate the ScreenOS image, the ScreenOS image will not save to flash, and instead the firewall will either prompt you to load another image, or automatically reboot and load the previously saved image. The following message is displayed on the console:
    ********Invalid DSA signature
    *******Bogus Image - not authenticated
  3. If FIPS is required, execute the CLI command:
    set fips-mode enable
note:   For additional information, refer to:  PSN-2008-11-083: ScreenOS Image Authentication Certification Expiration Notice
 
Modification History:
2017-12-23: Article reviewed for accuracy. Tagged the article as ScreenOS in title. Article is correct and complete.
Related Links: