Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Replace SSL Certificate with Signed One

When you boot up the Apstra server for the first time, a unique self-signed certificate is automatically generated and stored on the Apstra server at /etc/aos/nginx.conf.d (nginx.crt is the public key for the webserver and nginx.key is the private key.) The certificate is used for encrypting the Apstra server and REST API, not for any internal device-server connectivity. When you perform system backups you must manually back up the etc/aos folder, since the HTTPS certificate is not retained. We recommend replacing the default SSL certificate. Web server certificate management is the responsibility of the end user. Juniper support is best effort only.

  1. Back up the existing OpenSSL keys.
  2. Create a new OpenSSL private key with the built-in openssl command.

    Do not attempt to modify the default nginx.crt or nginx.key filenames. These values are referenced from nginx's configuration file. These files could be replaced as part of a subsequent service upgrade, so the filenames must be predictable. Moreover, do not make configuration changes to nginx.conf, as this file may be replaced during Apstra server upgrade.

  3. Create a certificate signing request. If you want to create a signed SSL certificate with a Subjective Alternative Name (SAN) for your Apstra server HTTPS service, you must manually create an OpenSSL template. For details, see Juniper Support Knowledge Base article KB37299.

    If you have created custom OpenSSL configuration files for advanced certificate requests, do not leave them in the nginx configuration folder, as nginx will attempt to load them (*.conf) on service startup, causing a service failure.

  4. Submit your Certificate Signing Request (nginx.csr) to your Certificate Authority. The required steps are outside the scope of this document - CA instructions differ per implementation. Any valid SSL certificate will work. The example below is of self-signing the certificate.
  5. Verify that the SSL certificates match: private key, public key, and CSR.
  6. To load the new certificate, restart the nginx container.
  7. Confirm that the new certificate is in your web browser and that the new certificate common name matches ''.