Related Documentation
- J Series
- Understanding Certificates and PKI
- Using Automatically Generated Self-Signed Certificates (CLI Procedure)
- Example: Manually Generating Self-Signed Certificates
- LN Series
- Understanding Certificates and PKI
- Using Automatically Generated Self-Signed Certificates (CLI Procedure)
- Example: Manually Generating Self-Signed Certificates
- SRX Series
- Understanding Certificates and PKI
- Using Automatically Generated Self-Signed Certificates (CLI Procedure)
- Example: Manually Generating Self-Signed Certificates
- Additional Information
- Public Key Infrastructure Feature Guide for Security Devices
Understanding Self-Signed Certificates
A self-signed certificate is a certificate that is signed by its creator rather than by a Certificate Authority (CA).
Self-signed certificates allow for use of SSL-based (Secure Sockets Layer) services without requiring that the user or administrator to undertake the considerable task of obtaining an identity certificate signed by a CA.
 | Note: Self-signed certificates do not provide additional security as do those generated by CAs. This is because a client cannot verify that the server he or she has connected to is the one advertised in the certificate. |
This topic includes the following sections:
Generating Self-Signed Certificates
Junos OS provides two methods for generating a self-signed certificate:
- Automatic generation
In this case, the creator of the certificate is the Juniper Networks device. An automatically generated self-signed certificate is configured on the device by default.
After the device is initialized, it checks for the presence of an automatically generated self-signed certificate. If it does not find one, the device generates one and saves it in the file system.
- Manual generation
In this case, you create the self-signed certificate for the device.
At any time, you can use the CLI to generate a self-signed certificate. These certificates are also used to gain access to SSL services.
Self-signed certificates are valid for five years from the time they were generated.
Automatically Generating Self-Signed Certificates
An automatically generated self-signed certificate allows for use of SSL-based services without requiring that the administrator obtain an identity certificate signed by a CA.
A self-signed certificate that is automatically generated by the device is similar to a Secure Shell (SSH) host key. It is stored in the file system, not as part of the configuration. It persists when the device is rebooted, and it is preserved when a request system snapshot command is issued.
Manually Generating Self-Signed Certificates
A self-signed certificate that you manually generate allows for use of SSL-based services without requiring that you obtain an identity certificate signed by a CA. A manually generated self-signed certificate is one example of a public key infrastructure (PKI) local certificate. As is true of all PKI local certificates, manually generated self-signed certificates are stored in the file system.
Related Documentation
- J Series
- Understanding Certificates and PKI
- Using Automatically Generated Self-Signed Certificates (CLI Procedure)
- Example: Manually Generating Self-Signed Certificates
- LN Series
- Understanding Certificates and PKI
- Using Automatically Generated Self-Signed Certificates (CLI Procedure)
- Example: Manually Generating Self-Signed Certificates
- SRX Series
- Understanding Certificates and PKI
- Using Automatically Generated Self-Signed Certificates (CLI Procedure)
- Example: Manually Generating Self-Signed Certificates
- Additional Information
- Public Key Infrastructure Feature Guide for Security Devices
