list all

Lists all stored SSL keys. Each IDP Series device can store 100 server private keys and 100 servers per key.

[root@defaulthost admin]#

list key key-id

Lists all servers associated with a particular key.

[root@defaulthost admin]#

add key key-path [password password-string] [server server-ip]

Adds a key with an optional password and an associated server.

Use SCP or FTP to copy your SSL server private key file to the IDP appliance. The IDP appliance does not run an FTP server, so you have to initiate the FTP session from the IDP appliance.

Keys must be based on RSA and be in PEM format. We have verified support for the following RSA private key lengths: 1024 bits, 2048 bits, 3072 bits, and 4096 bits.

[root@defaulthost admin]#

add server server-ip key key-id

Associates the specified server with the specified key.

[root@defaulthost admin]#

delete all

Clears the SSL keystore.

[root@defaulthost admin]#

delete key key-id [server server-ip ]

Deletes a particular SSL key from the SSL keystore. To delete a key-server association but not the key, use the server option.

[root@defaulthost admin]#

ca {create country-code state locality organization organization-unit common-name e-mail [nbits] | delete | export | show}

Use these options to configure the CA used by the SSL forward proxy feature.

Command arguments correspond with the values you want to set for the CA:

• country-code–A two-letter code. This is the C value in the certificate.
• state–A string. This is the ST value in the certificate.
• locality–A string. This is the L value in the certificate.
• organization–A string. This is the O value in the certificate.
• organization-unit–A string. This is the OU value in the certificate.
• common-name–A string. This is the CN value in the certificate.
• e-mail–An e-mail address. This should be an administrative e-mail address for the issuer.
• nbits is the RSA private key length. We have verified support for the following RSA private key lengths: 1024 bits, 2048 bits, 3072 bits, and 4096 bits. If you do not specify this option, the key length defaults to 1024 bits.

Note: Enclose strings that are phrases in single quotation marks.

The following example creates a root self-signed CA used by the SSL forward proxy feature:

The following example displays the CA settings:

serial=8E0012848A2D7CCD
subject= /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks Inc./OU=SSL Inspection
policy/CN=Juniper IT Services/emailAddress=admin@juniper.net
issuer= /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks Inc./OU=SSL Inspection
policy/CN=Juniper IT Services/emailAddress=admin@juniper.net
notBefore=Jun 25 22:13:23 2009 GMT
notAfter=Jun 23 22:13:23 2019 GMT

The following example prints to the screen the CA in PEM format. You can copy this to a file and then import this CA into SSL clients, enabling them to validate and trust certificates signed by the IDP Series device:

-----BEGIN CERTIFICATE-----
MIIC1TCCAj4CCQCOABKEii18zTANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxHjAcBgNVBAoTFUp1
bmlwZXIgTmV0d29ya3MgSW5jLjEeMBwGA1UECxMVU1NMIEluc3BlY3Rpb24gcG9s
aWN5MRwwGgYDVQQDExNKdW5pcGVyIElUIFNlcnZpY2VzMSAwHgYJKoZIhvcNAQkB
FhFhZG1pbkBqdW5pcGVyLm5ldDAeFw0wOTA2MjUyMjEzMjNaFw0xOTA2MjMyMjEz
MjNaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55
dmFsZTEeMBwGA1UEChMVSnVuaXBlciBOZXR3b3JrcyBJbmMuMR4wHAYDVQQLExVT
U0wgSW5zcGVjdGlvbiBwb2xpY3kxHDAaBgNVBAMTE0p1bmlwZXIgSVQgU2Vydmlj
ZXMxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGp1bmlwZXIubmV0MIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDAsn2NFaXTrCpShf9sg+Ccn1rUYzPuVHTw1GUtnHHB
o/oFXeNGETggLZ/jck+L27lOx3IpGd67yyHs08sXWvgC3MJukbl4kqyTyguy3/E9
wkiIey8W4XzyBXrCfW2YEgMc0cFExdm+C6DrAailddTQdgelxZ7nfIj24iiBhYYM
GQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAFTrEz9DHcbohDJFqGWPjS+MDgsX904l
f/WzHXftak4ZHjOryYvVaRUyitEhMX1KvMPQjYXf+TE2vF9yYqmoCj67l0Liu2ZJ
Tw4gwy9E9p58krqvZu4F2/kVM+yEAksUIjBme1RIL6Az3kLauHvkyAbMcSFZG2b0
7Z8WbQqn3o6s
-----END CERTIFICATE-----

Deleting a CA effectively turns off the SSL forward proxy feature. The following example deletes the CA:

[root@defaulthost admin]#

whitelist {import filepathname | export }

Imports or exports a whitelist file. A whitelist file is a list of IP addresses and domain names for destination servers for which traffic should not be inspected. The file must be reachable by the filepathname you specify. We recommend you store the file in the IDP Series device /tmp directory.

Traffic that matches a whitelist entry is passed through (not decrypted or inspected).

The following example shows the format of a whitelist file:

10.0.0.1
1.0.0.0/8
70.34.21.82
trustedsite.com
landing.trustedsearch.com

Each line in the whitelist file specifies the IP address or domain name for a destination server. To whitelist multiple sites with one entry, you can use an IP prefix to match address blocks and a domain suffix to include all subdomains.

The domain name in your whitelist should match the common name entry in the certificate presented by the destination server. For example, suppose the certificate for the E-Trade HTTPS server contains the following subject:

C=US, ST=Georgia, L=Alpharetta, O=ETRADE FINANCIAL CORPORATION, OU=Global Information Security, CN=us.etrade.com

You can whitelist this site by adding either us.etrade.com or the domain suffix etrade.com to your whitelist file.

The following example shows the syntax for the import option.

[root@defaulthost admin]#

Note: To update the active whitelist, import an updated whitelist file. To clear the whitelist, import a file that contains only one empty line.

10.0.0.1
1.0.0.0/8
70.34.21.82
trustedsite.com
landing.trustedsearch.com