Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Running Third-Party Applications Natively With Signing Keys

Signing Keys Overview

Starting in Junos OS Evolved Release 22.4R1, you can generate signing keys and use them to sign executable files or shared objects. Signing an executable file gives it permission to run on the device, allowing you to approve trusted applications to run alongside authorized Juniper Networks software.

Junos OS Evolved requires users to sign all files that will be mapped into memory for execution. This includes the following file types:

  • Executable and Linkable Format (ELF) files

  • Shared Objects (.so) files

The following types of files do not need to be signed:

  • Docker containers

  • Applications inside containers

  • Scripts


    Although scripts don’t need to be signed, they do need to be passed through a signed interpreter for execution. Junos OS Evolved comes installed with signed Python 2 and Python 3 interpreters that can be used through the python script-name shell command.

Signing keys are controlled by a Linux subsystem called Integrity Measurement Architecture (IMA). IMA policy consists of rules that define which actions needs to be taken before a file can be executed. IMA measurement policy will measure and store a file’s hash, and IMA appraisal policy will make sure that the file has a valid hash or digital signature. IMA will only allow a file to run if this validation succeeds. For more information about IMA, see Protecting the Integrity of Junos OS Evolved with IMA.

Signing keys are stored in the system keystore, and the certificates used the verify signing keys are stored in the IMA extended keyring. Keep reading to learn how to generate, import, view, and use signing keys.

Generating Signing Keys

Keys can be generated through the OpenSSL command-line or a OpenSSL configuration file.

Generating Signing Keys Using the OpenSSL Command-Line

The following example OpenSSL command can be used to generate signing keys:

This command will generate 2 files:

  1. privkey.pem - The PEM encoded private key that can be used to sign executable files.

  2. ima-cert.x509 - The DER encoded certificate to be loaded into the IMA extended keyring.


The OpenSSL command-line is limited in its functionality. It does not allow you to set values for the X509v3 extensions. All keys generated using the command above can be used as Certificate Authorities (CAs), and therefore can be used to sign other certificates. To prevent this, we can use an OpenSSL Configuration File.

Generating Signing Keys Using an OpenSSL Configuration File

Create a file named ima-x509.cnf and paste the following contents:

After the configuration file is created, use the following OpenSSL command to create the ima-privkey.pem and ima-cert.x509 files:

The private key file ima-privkey.pem is used to generate signing keys, and the certificate file ima-cert.x509 is used to verify the signature. Both files are used during the process of importing signing keys into the system keystore and IMA extended keyring.

Importing Signing Keys into the System Keystore and IMA Extended Keyring

Signing keys need to be imported into the system keystore prior to use. Keys that are imported into the system keystore are automatically imported into the IMA extended keyring. Keys will be imported on both Routing Engines.

To import a signing key into the system keystore, use the request security system-keystore import command with the following 2 mandatory arguments:

  1. key-name - A unique name for the key

  2. x509-cert - Path to the DER encoded certificate file

The following example command will create a key named ima-test-key by using the certificate file ima-cert.x509:

When the key is successfully imported into the system-keystore you will see the above output displaying the name of the key, the path to the certificate on disk, and the Subject Key Identifier (SKI) for the key. You can check if this SKI matches with the key loaded into the IMA Extended keyring with the following command:

Viewing the System Keystore and IMA Extended Keyring

You can view the contents of the system keystore and the IMA extended keyring through Junos OS Evolved CLI show commands.

Use the show security integrity system-keystore command to view the available signing keys in the system keystore:

The information in the Key SKI field can be used to map these keys to the IMA extended keyring.

Use the show security integrity extended-keyring command to view the contents of the IMA extended keyring:

How to Sign Applications

After a signing key has been imported into the system keystore, it can be used to sign executable binaries.

Use the request security integrity measure file filename key key-name command to sign a file.

The following example command shows a file named ima-test being signed by a key named ima-test-key:

You can verify that your file was successfully signed by using the request security integrity appraise file filename key key-name command, as follows:

If the file was not signed properly, the following message will display:

After a file has been signed, it can be run natively on your Junos OS Evolved device.