Self-Signed Digital Certificates
Learn about the self-signed digital certificate and find out how to manage a self-signed digital certificate.
A self-signed certificate is a certificate that is signed by the same entity who created it rather than by a Certificate Authority (CA). Junos OS provides two methods for generating a self-signed certificate - automatic generation and manual generation.
Self-Signed Certificates
A self-signed certificate is a certificate that is signed by its creator rather than by a CA.
Self-signed certificates allow for use of SSL based services without requiring the user or administrator to undertake the considerable task of obtaining an identity certificate signed by a CA.
Self-signed certificates do not provide additional security as do those generated by CAs, because a client cannot verify that the server connected to is the one advertised in the certificate. Self-signed certificates are valid for five years.
Junos OS provides two methods for generating a self-signed certificate:
-
Automatic generation–The Juniper Networks device creates the certificate automatically. An automatically generated self-signed certificate is configured on the device by default. After you initialize the device, it checks for the presence of an automatically generated self-signed certificate. If the device does not find one, it generates one and saves it in the file system.
A self-signed certificate that is automatically generated by the device is similar to an SSH host key. It is stored in the file system, not as part of the configuration. It persists when the device is rebooted, and it is preserved when a
request system snapshotcommand is issued. -
Manual generation–You create the self-signed certificate for the Juniper Networks device. At any time, you can use the CLI to generate a self-signed certificate. These certificates are also used to gain access to SSL services.
A manually generated self-signed certificate is one example of a PKI local certificate. As is true of all PKI local certificates, manually generated self-signed certificates are stored in the file system.
Example: Generate a Public-Private Keypair
This example shows how to generate a public-private keypair.
- RequirementsWe don't need an example template for this topic. We can use the task template as done in the following sections
- Overview
- Configuration
- Verification
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you generate a public-private keypair named self-cert.
Configuration
Procedure
Step-by-Step Procedure
To generate a public-private keypair:
-
Create a certificate keypair.
user@host> request security pki generate-key-pair certificate-id self-cert
Verification
After the public-private keypair is generated, the Juniper Networks device displays the following:
generated key pair ca-ipsec, key size 1024 bits
Manually Generate Self-Signed SSL Certificates
To manually generate a self-signed SSL certificate on Juniper Networks devices:
Example: Manually Generate Self-Signed Certificates
This example shows how to generate self-signed certificates manually.
Requirements
Before you begin, generate a public private keypair. See Digital Certificates.
Overview
For a manually generated self-signed certificate, you specify the DN when you create it. For an automatically generated self-signed certificate, the system supplies the DN, identifying itself as the creator.
In this example, you generate a self-signed certificate with the e-mail address as
mholmes@example.net. You specify a certificate-id of
self-cert to be referenced by web management.
Configuration
Procedure
Step-by-Step Procedure
To generate the self-signed certificate manually, enter the following command in operational mode:
user@host> request security pki local-certificate generate-self-signed certificate-id self-cert subject CN=abc domain-name example.net ip-address 172.16.3.4 email mholmes@example.net
To specify the manually generated self-signed certificate for Web management HTTPS services, enter the following command in configuration mode:
[edit] user@host# set system services web-management https local-certificate self-cert
Verification
To verify the certificate is properly generated and loaded, enter the following command in operational mode:
user@host> show security pki local-certificate
Note the Certificate identifier information for Issued
to, validity, algorithm, and
keypair location details in the displayed output.
To verify the certificate that is associated with the web management, enter the following command in configuration mode:
user@host# show system services web-management https local-certificate
Manage Automatically Generated Self-Signed Certificates
After you initialize the device, it checks for the presence of a self-signed certificate. If a self-signed certificate is not present, the device automatically generates one. If the device is rebooted, a self-signed certificate is automatically generated at boot time.
To check the system-generated certificate, run the following command in operational mode:
user@host> show security pki local-certificate system-generated
Note the Certificate identifier details in the output. It displays the
following details DN for the automatically generated certificate:
-
CN = device serial number -
CN = system generated -
CN = self-signed
Use the following command in configuration mode to specify the automatically generated self-signed certificate to be used for Web management HTTPS services:
[edit] user@host# set system services web-management https system-generated-certificate
Use the following operational command to delete the automatically generated self-signed certificate:
user@host# exit user@host> clear security pki local-certificate system-generated
After you delete the system-generated self-signed certificate, the device automatically generates a new one and saves it in the file system.
Enable HTTPS and XNM-SSL Services on Switches Using Self-Signed Certificates (CLI Procedure)
You can use the system-generated self-signed certificate or a manually generated self-signed certificate to enable Web management HTTPS and XNM-SSL services on a switch.
Use the following command to enable HTTPS services using the automatically generated self-signed certificate:
[edit] user@switch# set system services web-management https system-generated-certificate
Use the following command to enable HTTPS services using a manually generated self-signed certificate:
[edit] user@switch# set system services web-management https pki-local-certificate certificate-id-name
The value of the certificate-id-name must match the name you specified when you generated the self-signed certificate manually.
To enable XNM-SSL services using a manually generated self-signed certificate, use the following command:
[edit] user@switch# set system services xnm-ssl local-certificate certificate-id-name
The value of the certificate-id-name must match the name you specified when you generated the self-signed certificate manually.