Certificate Management

Managing Certificates

  1. Select Administration>Certificate Management.

    The Certificate Management page appears. This page displays the number of certificates currently being used on the device. Usage is determined by the configuration on the device. Table 298 explains the contents of this page.

  2. Click any of the following options:
    • Upload—Uploads the selected CSR signed certificate or externally generated certificate to the device. The options are:
      1. If you select CSR Signed Certificate, the Upload CSR Signed Certificate popup window appears.

        Select the certificate content from the two options presented. If you select File Path on device for Certificate, add the path of the certificate file in File path on device for Certificate text box.

        If you select Paste Certificate Content, paste the contents of the certificate in the text box.

      2. If you select Externally Generated Certificate, the Upload Externally Generated Certificate popup window appears.

        Enter the Certificate ID, File path on device for key pair where the key file is located, and Passphrase, if the key is encrypted using passphrase.

        Select the certificate content from the two options. If you select File Path on device for Certificate, add the path of the certificate file (pim) in File path on device for Certificate text box.

        If you select Paste Certificate Content, paste the contents of the certificate in the text box.

    • Click Upload.
    • Download—Downloads the selected CSR or signed certificate.
    • Add icon (+)—Create a new certificate. A certificate can be Certificate Signing Request (CSR) or a self-signed certificate. After you create a CSR, you need to download it, get is signed by a CA, and use that certificate in the device. Self-signed certificates allow for use of SSL-based services without requiring you obtain an identity certificate signed by a CA. Self-signed certificates are usually used for internal purpose. All these steps can be managed in the Certificate Management page. There are two steps to generate a certificate:
      1. Generate Key Pair
      2. Generate Certificate

      Table 299 lists the details involved while creating a certificate.

    • Delete icon (X)—Delete the certificate that you have selected in the grid.
    • More—The available options are:
      • Generate Trusted CAs—Generates default CAs provided by Juniper Networks, which is necessary while creating SSL Proxy profile. It may takes several minutes for generation. It is a one time activity.
      • View Trusted CAs—View all the default trusted CAs
      • Clear All Selections—Clears all selections made in the grid
    • Search icon—Enables you to search for the certificate that you enter in the search criteria
    • Show Hide column icon—Enables you to show or hide the columns to be displayed in the grid

Enter the information specified in Table 298 to maintain the secure router.

Table 298: Certificate Management Page

FieldDescription

Certificate ID

Displays the certificate ID

Serial Number

Displays the serial number of the certificate.

Issuer

Displays the issuer of the certificate.

Subject

Displays the subject details such as Organizational Unit, Organization Name and so on.

Domain Name

Displays the domain name of the user.

Email

Displays the email ID of the user of the certificate.

IPv4 Address

Displays the IPv4 address of the user.

IPv6 Address

Displays the IPv6 address of the user.

Validity From

Displays the start date of the validity of the certificate.

Validity To

Displays the end date of the validity of the certificate.

Key Length

Displays the length of the key pair of the certificate.

Key Algorithm

Displays whether the key algorithm of the certificate is RSA or ECDSA encryption.

Signature Algorithm

Displays whether the signature algorithm is SHA-1, SHA-256, or SHA-384 digest.

Status

Displays whether the status of the certificate is signed or in CSR stage.

Table 299: Creating Certificate

FieldFunctionAction
Generate Key Pair

Certificate ID

Certificate ID is a unique value across the device. This will be used to create a key pair along with the algorithm to associate with the key.

Enter a unique value for the certificate ID.

Size

The bit length size of the RSA, DSA, or ECDSA key.

Select the size from the dropdown list. The options available are: 1024 bits (RSA/DSA only), 2048 bits (RSA/DSA only), 256 bits (ECDSA only), 384 bits (ECDSA only), and 4096 bits (RSA/DSA only)

Type

The type of key encryption.

Select the type of key from the dropdown list. The option are: RSA/DSA if size is selected as either 1024 bits, 2048 bits, or 4096 bits.

ECDSA if size is selected as 256 or 384 bits.

Note: The certificate cannot be used in SSL Proxy profile if it is generated using type DSA.

Generate the key pair.

Click Generate.

Generate Certificate

Certificate Signing Details

Type

A certificate can be Certificate Signing Request (CSR) or a self-signed local certificate. After the CA is generated it must be signed by a CA server and then you upload the signed CSR back to the device using the same certificate ID.

Self-signed certificates allow for use of SSL-based services without requiring you obtain an identity certificate signed by a CA. Self-signed certificates are usually used for internal purpose.

Select the type of certificate from the options—Certificate Signing Request (CSR) or Self-signed local-certificate.

Certificate ID

Displays the certificate ID that is created in the previous screen.

Digest

Displays the digests available.

Select the digest from the dropdown list.

If Key pair is generated with RSA/DSA:

  • For CSR the options are: The options are: SHA-1 digests (RSA/DSA only) or SHA-256 digests (RSA/ECDSA only).
  • For self-signed local certificate, the options are: SHA-1 digests or SHA-256 digests.

If key pair is generated with ECDSA:

  • For CSR, the options are: SHA-256 digests (RSA/ECDSA only) or SHA-384 digests (ECDSA only).
  • For self-signed local certificate, the options are: SHA-1 digests or SHA-256 digests.

Domain Name

Allows you to enter a domain name that you want to associate with this certificate.

Enter a Domain Name.

Email

Allows you to enter the email address.

Enter an email address.

IP Address

Allows you to enter the IPv4 address of the system from where you are creating this certificate.

Enter IPv4 address.

Add CA Constraint

This option is available only for Self-Signed Local-Certificate.

Select the checkbox to add CA constraint to this certificate.

IPv6 Address

Note: This appears only if you selected the Type of certificate as Certificate Signing Request (CSR).

Allows you to enter the IPv6 address of the system from where you are creating this certificate.

Enter IPv6 address.

Collapse the Subject (Any one field is mandatory)

Domain Component

Allows you to enter the domain component that you want to be associated with this certificate. This will be displayed under the Subject in the Certificate Management page.

Enter the domain component.

Common Name

Allows you to enter a common name with this certificate.

Enter a common name.

Organizational Unit

Allows you to enter your organizational unit that you want to be associated with this certificate.

Enter the organizational unit.

Organizational Name

Allows you to enter your organizational name that you want to be associated with this certificate. This will be displayed under the Subject in the Certificate Management page.

Enter the organizational name.

Serial Number

Allows you to enter serial number for the certificate.

Enter a serial number.

Locality

Allows you to enter the locality from where you are creating this certificate.

Enter the locality name.

State

Allows you to enter the state or region from where you are creating this certificate.

Enter the state name.

Country

Allows you to enter the country from where you are creating this certificate.

Enter the country name.