Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Self-Signed Digital Certificates

 

A self-signed certificate is a certificate that is signed by the same entity who created it rather than by a Certificate Authority (CA). Junos OS provides two methods for generating a self-signed certificate- automatic generation and manual generation.

Understanding Self-Signed Certificates

A self-signed certificate is a certificate that is signed by its creator rather than by a Certificate Authority (CA).

Self-signed certificates allow for use of SSL-based (Secure Sockets Layer) services without requiring that the user or administrator to undertake the considerable task of obtaining an identity certificate signed by a CA.

Self-signed certificates do not provide additional security as do those generated by CAs. This is because a client cannot verify that the server he or she has connected to is the one advertised in the certificate.

Junos OS provides two methods for generating a self-signed certificate:

  • Automatic generation

    In this case, the creator of the certificate is the Juniper Networks device. An automatically generated self-signed certificate is configured on the device by default.

    After the device is initialized, it checks for the presence of an automatically generated self-signed certificate. If it does not find one, the device generates one and saves it in the file system.

  • Manual generation

    In this case, you create the self-signed certificate for the device.

    At any time, you can use the CLI to generate a self-signed certificate. These certificates are also used to gain access to SSL services.

Self-signed certificates are valid for five years from the time they were generated.

An automatically generated self-signed certificate allows for use of SSL-based services without requiring that the administrator obtain an identity certificate signed by a CA.

A self-signed certificate that is automatically generated by the device is similar to a Secure Shell (SSH) host key. It is stored in the file system, not as part of the configuration. It persists when the device is rebooted, and it is preserved when a request system snapshot command is issued.

A self-signed certificate that you manually generate allows for use of SSL-based services without requiring that you obtain an identity certificate signed by a CA. A manually generated self-signed certificate is one example of a public key infrastructure (PKI) local certificate. As is true of all PKI local certificates, manually generated self-signed certificates are stored in the file system.

Example: Generating a Public-Private Key Pair

This example shows how to generate a public-private key pair.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you generate a public-private key pair named ca-ipsec.

Configuration

Step-by-Step Procedure

To generate a public-private key pair:

  • Create a certificate key pair.

Verification

After the public-private key pair is generated, the Juniper Networks device displays the following:

Example: Manually Generating Self-Signed Certificates

This example shows how to generate self-signed certificates manually.

Requirements

Before you begin, generate a public private key pair. See Digital Certificates.

Overview

For a manually generated self-signed certificate, you specify the DN when you create it. For an automatically generated self-signed certificate, the system supplies the DN, identifying itself as the creator.

In this example, you generate a self-signed certificate with the e-mail address as mholmes@example.net. You specify a certificate-id of self-cert to be referenced by web management, which refers a Example: Generating a Public-Private Key Pair-pair of the same certificate-id.

Configuration

Step-by-Step Procedure

To generate the self-signed certificate manually:

  1. Create the self-signed certificate.

Verification

To verify the certificate was properly generated and loaded, enter the show security pki local-certificate operational mode command.

Using Automatically Generated Self-Signed Certificates (CLI Procedure)

After the device is initialized, it checks for the presence of a self-signed certificate. If a self-signed certificate is not present, the device automatically generates one.

You can add the following statement to your configuration if you want to use the automatically generated self-signed certificate to provide access to HTTPS services:

The device uses the following distinguished name for the automatically generated certificate:

Use the following command to specify that the automatically generated self-signed certificate is to be used for Web management HTTPS services:

Use the following operational command to delete the automatically generated self-signed certificate:

After you delete the system-generated self-signed certificate, the device automatically generates a new one and saves it in the file system.

Related Documentation