Help Center User GuideGetting Started
 
X
User Guide
Getting Started
Contents

Managing Device Certificates

Starting in Junos OS 19.2R1 Release, Device Certificates page is available and you can navigate to this page from Administration > Certificate Management > Device Certificates.

Manage the device certificates to authenticate Secure Socket Layer (SSL). SSL uses public-private key technology that requires a paired private key and an authentication certificate for providing the SSL service. SSL encrypts communication between your device and the Web browser with a session key negotiated by the SSL server certificate.

Table 292 provides the details of the fields of the Device Certificates page.

Table 292: Fields on Device Certificates Page

Field

Description

Certificate ID

Displays the certificate ID.

Certificate ID is a unique value across the device. This will be used to create a key pair along with the algorithm to associate with the key.

Issuer Org

Displays the details of the authority that issued the certificate.

Status

Displays whether the status of the certificate is valid, expired, and so on.

Expiration Date

Displays certificate expiration date.

Encryption Type

Displays whether the algorithm of the certificate is RSA, DSA, or ECDSA encryption.

Signature Status

Displays whether the status of the certificate is signed or in certificate signing request (CSR) stage.

You can perform the following tasks:

Importing a Certificate

Procedure

To import a device certificate:

  1. Select Administration > Certificate Management > Device Certificates.
  2. Click Import.

    The Import Certificate page appears.

  3. Complete the configuration according to the guidelines provided in Table 293.
  4. Click OK to import the certificate.

    You are taken to the Device Certificates page. If the certificate content that you imported is validated successfully, a confirmation message is displayed; if not, an error message is displayed.

    After importing a certificate, you can use it when you create an SSL proxy profile and for IPSec VPN peers authentication.

Table 293: Fields on the Import Certificate Page

Field

Action

Type

Select an option to specify whether the certificate that you are importing is an Externally Generated Certificate or a CSR.

Certificate ID

Enter a unique value for the certificate ID for an externally generated certificate.

Select an option from the list to specify the certificate ID for a CSR.

File path for Certificate

Click Browse to navigate to the path from where you want to import the certificate.

File path for Private Key

Click Browse to navigate to the path from where you want to import the private key.

Passphrase

Enter the passphrase used to protect the private key or key pair of the certificate file.

Exporting a Certificate

Procedure

To export a device certificate:

  1. Select Administration > Certificate Management > Device Certificates.
  2. Click Export.

    The Export Certificate page appears.

  3. Complete the configuration according to the guidelines provided in Table 294.
  4. Click OK to export the certificate.

    Once you save or download the exported file(s), a confirmation message is displayed; if not, an error message is displayed.

Table 294: Fields on the Export Certificate Page

Field

Action

Type

Select an option from the list to specify whether the certificate that you are exporting is a Local Certificate or a CSR.

Certification Name

Select an option from the list for the local certificate name.

Certificate ID

This option is available only for CSR.

Select an option from the list for the CSR certificate ID.

Format

Select an option from the list to specify whether the exporting certificate format is Privacy-Enhanced Mail (PEM) or Distinguished Encoding Rules (DER).

Key Pair

Enable or disable exporting key pair of a certificate.

Passphrase

Enter the passphrase to protect the private key or key pair of the certificate file.

Viewing the Details of a Certificate

Procedure

To view the details of a device certificate:

  1. Select Administration > Certificate Management > Device Certificates.
  2. Select an existing certificate.
  3. Select More > Detailed View.

    The View Certificate page appears with the details of the certificate.

    Note: When you hover over the certificate ID, a Detailed View icon appears before the certificate ID. You can also use this icon to view the certificate details.

  4. Click OK after viewing the certificate details.

Table 295 provides the field details of the certificate on the View Certificate page.

Table 295: Fields on the View Certificate Page

Field

Action

Certificate Details

Certificate ID

Displays the certificate ID.

Certificate Version

Displays the certificate revision number.

Certificate Type

Displays the certificate type. For example, Signed.

Encryption Type

Displays the encryption type. For example, RSA.

Key Size

Displays the key size of the encryption type.

Serial Number

Displays the unique serial number of the certificate.

Subject

Domain Component

Displays the domain component associated with the certificate.

Common Name

Displays the common name associated with the certificate.

Organizational Unit Name

Displays the organizational unit associated with the certificate.

Organizational Name

Displays the organizational name associated with this certificate.

Serial Number

Displays the serial number of the device.

Locality

Displays the locality name.

State

Displays the state name.

Country

Displays the country name.

Subject Alt Name

Domain Name

Displays the Fully Qualified Domain Name (FQDN).

Email

Displays the email ID of the certificate holder.

IPv4 Address

Displays the IPv4 address.

IPv6 Address

Displays the IPv6 address.

Issuer Information

Common Name

Displays the issuer common name associated with the certificate.

Domain Component

Displays the issuer domain component associated with the certificate.

Organization Name

Displays the issuer organizational name.

Organization Unit Name

Displays the issuer organizational unit.

Locality Name

Displays the issuer locality name.

State or Province Name

Displays the issuer state or region name.

Validity

Not Before

Displays the start time when the certificate becomes valid.

Not After

Displays the end time when the certificate becomes invalid.

Auto Re Enrollment

Status

Displays whether the auto re enrollment is enabled or disabled.

Next Trigger Time

Displays the how long auto-reenrollment should be initiated before expiration.

Fingerprint

MD5

Displays the MD5 fingerprints to identify the certificate.

SHA1

Displays the SHA-1 fingerprints to identify the certificate.

Signature Algorithm

Algorithm

Displays whether the signature algorithm is SHA-1, SHA-256, or SHA-384 digest.

Distribution CRL

URL

Displays the URL of the certificate revocation list (CRL) server.

LDAP

Displays the name of the location from which the CRL is retrieved through Lightweight Directory Access Protocol (LDAP).

Authority Information Access OCSP

URL

Displays the URL of the Online Certificate Status Protocol (OCSP) server.

Generating a Certificate

Procedure

To generate a device certificate:

  1. Select Administration > Certificate Management > Device Certificates.
  2. Click the add icon (+).

    The Generate Certificate page appears.

  3. Complete the configuration according to the guidelines provided in Table 296.
  4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.

    If you click OK, a new certificate with the provided configuration is created.

Table 296: Fields on the Generate Certificate Page

Field

Action

Certificate Details

Certificate Type

Select one of the certificate type from the list that you want to generate:

  • Local Self-Signed—Allows for use of SSL-based (Secure Sockets Layer) services without requiring that the user or administrator to undertake the considerable task of obtaining an identity certificate signed by a CA. Self-signed certificates are usually used for internal purpose.

  • Local Certificate—Validates the identity of the security device. A local certificate imports or references an SSL certificate.

CA Profile Name

This option is available for a local certificate.

Select one of the CA profile name from the list or click Create to add a CA Profile. For details on adding a CA profile, see the table in the Adding a Certificate Authority Profile section.

Certificate ID

Enter a unique value for the certificate ID.

Encryption Type

Select one of the type of encryption from the list:

  • RSA Encyrption

  • DSA Encyrption

    Note: The certificate cannot be used in SSL Proxy profile if it is generated using type DSA.

  • ECDSA Encyrption

Key Size

Select one of the key size from the list:

  • RSA encryption supports 1024 bits, 2048 bits, or 4096 bits.

  • DSA encryption supports 1024 bits, 2048 bits, or 4096 bits.

  • ECDSA encryption supports 256 bits, 384 bits, or 521 bits.

Subject (Minimum of one field required)

Domain Component

Enter the domain component that you want to be associated with the certificate.

Common Name

Enter a common name with the certificate.

Organizational Unit Name

Enter the organizational unit that you want to be associated with the certificate.

Organizational Name

Enter the organizational name that you want to be associated with this certificate.

Serial Number

Enter a serial number of the device.

Locality

Enter the locality name.

State

Enter the state name.

Country

Enter the country name.

Subject Alt Name

Note: For a local certificate, any one field is mandatory

Domain Name

Enter a Domain Name that you want to associate with the certificate.

Email

Enter an user email address.

IPv4 Address

Enter the IPv4 address of the device.

IPv6 Address

This option is available for a local certificate.

Enter the IPv6 address of the device.

Advanced

Digest

Select the digest from the list:

  • For local Self-signed certificate (RSA/DSA/ECDSA) options are: None, SHA-1 digests, or SHA-256 digests.

  • For local certificate options are:

    • RSA/DSA: None, SHA-1 digests, or SHA-256 digests

    • ECDSA: None, SHA-256 digests, or SHA-384 digests.

Signing Certificate

Enable or disable specifies that the certificate is used to sign other certificates.

Deleting a Certificate

Procedure

To delete a device certificate:

  1. Select Administration > Certificate Management > Device Certificates.
  2. Select the certificate you want to delete.
  3. On the upper right side of the Device Certificates page, click the delete icon to delete.

    A confirmation window appears.

  4. Click Yes to delete.

Search Text in Device Certificates Table

You can use the search icon in the top right corner of a page to search for text containing letters and special characters on that page.

Procedure

To search for text:

  1. Enter partial text or full text of the keyword in the search bar and click the search icon.

    The search results are displayed.

  2. Click X next to a search keyword or click Clear All to clear the search results.

See Also

 
Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary