Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Replace SSL Certificate on Apstra Server with Signed One

When you boot up the Apstra server for the first time, a unique self-signed certificate is automatically generated and stored on the Apstra server at /etc/aos/nginx.conf.d (nginx.crt is the public key for the webserver and nginx.key is the private key.) The certificate is used for encrypting the Apstra server and REST API. It's not for any internal device-server connectivity. Since the HTTPS certificate is not retained when you back up the system, you must manually back up the etc/aos folder. We recommend replacing the default SSL certificate. Web server certificate management is the responsibility of the end user. Juniper support is best effort only.

  1. Back up the existing OpenSSL keys.
  2. Create a new OpenSSL private key with the built-in openssl command.

    Don't modify nginx.crt or nginx.key filenames. They're referred to in nginx.conf. As part of subsequent service upgrades, these files could be replaced, so the filenames must be predictable.

    Also, don't change configuration in nginx.conf, as this file may be replaced during Apstra server upgrade, and any changes you make would be discarded.

  3. Create a certificate signing request. If you want to create a signed SSL certificate with a Subjective Alternative Name (SAN) for your Apstra server HTTPS service, you must manually create an OpenSSL template. For details, see Juniper Support Knowledge Base article KB37299.

    If you have created custom OpenSSL configuration files for advanced certificate requests, don't leave them in the Nginx configuration folder. On startup, Nginx will attempt to load them (*.conf), causing a service failure.

  4. Submit your Certificate Signing Request (nginx.csr) to your Certificate Authority. The required steps are outside the scope of this document; CA instructions differ per implementation. Any valid SSL certificate will work. The example below is for self-signing the certificate.
  5. Verify that the SSL certificates match: private key, public key, and CSR.
  6. To load the new certificate, restart the nginx container.
  7. Confirm that the new certificate is in your web browser and that the new certificate common name matches ''.