Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Where can I download the Juniper Networks DSA Public Key (imagekey.cer) file, and how do I load/install the imagekey.cer file?

0

0

Article ID: KB8729 KB Last Updated: 28 Dec 2018Version: 9.0
Summary:
All ScreenOS software images bear the Juniper digital signature. The digital signature guarantees the authenticity and integrity of the software you download and use on your Firewall device.

This article contains information on the Image Key download location, how to load the Image Key, how to check if the key is loaded.
Symptoms:
Environment:
  • ScreenOS Image Authentication
  • Integrity of the ScreenOS Image
  • Image Key
Symptoms & Errors:
  • Where can I download imagekey.cer file for firmware authentication?
  • How do I ensure a ScreenOS Image downloaded is not corrupt or has not been compromised?
  • When is the WebUI "Image Key Update" function used?
  • How do I install the Juniper Networks DSA public key or imagekey.cer file?
  • Juniper Networks DSA public key file missing
  • Unable to configure FIPS mode
  • When enabling FIPS mode, the following error message is reported:
    ssg-> set fips-mode enable
    Juniper Networks DSA public key file missing.
    This is required for image authentication.
    Please install it before attempting to enable FIPS mode
Solution:
A.  The ScreenOS Image Key (FIPS imagekey.cer certificate / DSA Public Key) can be downloaded from the following locations:
Juniper Network Certifications  or  ScreenOS Enterprise MIBs & Radius Dictionary

Look for the title 'ScreenOS Image Key' and download the file, image_key.zip, which contains 2 files:
imagekey.cer
image_key_readme.pdf


The image_key_readme.pdf also contains instructions for loading the Image Authentication Certificate, checking that the Certificate is installed, and Authenticating a ScreenOS image.
 
Note:  The 'old' digital certificate will expire on November 15, 2008.  While the 'old' certificate will continue to function and will continue to authenticate images past the expiration date, Juniper recommends that customers who are using the feature upgrade to the new certificate in order to ensure proper authentication in the future. 

The imagekey.cer file is the same file for all ScreenOS versions.  It supports ScreenOS version 2.6.1 and greater.

B.  To  install/load the image key on the firewall

  1. Load the imagekey.cer file using the WebUI or CLI

    WebUI
     
    1. Browse to Configuration > Update > ScreenOS/Keys
    2. Select Image Key Update
    3. Browse to or enter the directory path of the downloaded imagekey.cer file
    4. Click Apply

    CLI
    save image-key tftp [location of file] [image key filename]
    Example:
    save image-key tftp 1.1.1.1 imagekey.cer
    Refer to image_key_readme.pdf for instructions on checking that the Certificate is installed.
  2. After the image key is installed, the next time your device boots a ScreenOS image from flash, it uses the authentication certificate to check the ScreenOS signature embedded in the file. The authentication effort produces one of the following two results:
    If the key is installed successfully and the ScreenOS image is valid, the following message is displayed on the console:
    Image authenticated!

    If the Firewall image key cannot authenticate the ScreenOS image, the ScreenOS image will not save to flash, and instead the firewall will either prompt you to load another image, or automatically reboot and load the previously saved image. The following message is displayed on the console:
    ********Invalid DSA signature
    *******Bogus Image - not authenticated
  3. If FIPS is required, execute the CLI command:
    set fips-mode enable
note:   For additional information, refer to:  PSN-2008-11-083: ScreenOS Image Authentication Certification Expiration Notice
 
Modification History:
2017-12-23: Article reviewed for accuracy. Tagged the article as ScreenOS in title. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search