Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Loading a Root CA


After the Policy Enforcer virtual machine is configured and created and before creating any ATP policy, you must set up certificates on any Juniper ATP Cloud-supported SRX Series device. For a list of Juniper ATP Cloud- supported devices, see Juniper ATP Cloud Supported Platforms Guide  .


The following is simply an example. You will need to modify the group name, profile and policy name to match your configuration.

To set up certificates for Policy Enforcer:

  1. Create the CA profile using the following CLI command. A CA profile configuration contains information specific to a CA.
    root@host# request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048 type rsa
    root@host# request security pki local-certificate generate-self-signed certificate-id ssl-inspect-ca domain-name subject ",OU=IT,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US" email
  2. Configure the CA profile.Note

    The CA profile name must be policyEnforcer.

    root@host# set security pki policyEnforcer ssl-inspect-ca ca-identity ssl-inspect-ca
    root@host# set security pki ca-profile policyEnforcer ca-identity ssl-profile-ca
  3. Load the default trusted CA.
    root@host# request security pki ca-certificate ca-profile-group load ca-group-name All-Trusted-CA-Def filename default
  4. Enable HTTPS on the threat prevention policy.

    When creating your threat prevention policy (in Security Director, select Configure>Threat Prevention > Policy), enable the Scan HTTPS option to scan files downloaded over HTTPS. For more information on creating threat prevention policies, see the Security Director online help.

    When you enable HTTPS on the threat prevention policy, Policy Enforcer sends the following configuration to the devices:

  5. Export the locally generated certificate from the SRX Series device and install it on clients as a trusted CA to avoid some of the certificate errors that may occur.

    Each website or browser behaves slightly different. Some require exceptions to be added to your browser to display the content while others may not work because the local certificate is weak.

  6. (Optional) You can limit some certificate warning messages using the following CLI command: