SUMMARY:

This article provides information on how to manually generate a new system self-signed certificate to replace the expired system self-signed certificate, without resetting the firewall.

SYMPTOMS:

The system self-signed certificate has expired and when a new one is manually generated, it still shows the expired date.

CAUSE:

 

SOLUTION:

The process to automatically generate a new system self-signed certificate is to delete the expired system self-signed certificate and then reset the device. A new system self-signed certificate will be automatically generated when the device comes back up.

However, in certain operating environments, resetting the firewall is not an option. In such cases, the process to manually generate a new system self-signed certificate, without resetting the firewall, is provided in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03, in the "Manually Creating Self-Signed Certificates" section.

However, prior to performing this procedure, you have to delete the expired system self-signed certificate:

delete pki object-id system

When the deletion is complete, perform the following procedure, as mentioned in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03:

    1. Define the certificate attributes:

      set pki x509 dn name 4ssl
      set pki x509 dn org-name abc123
      set pki x509 cert-fqdn www.abc123.com
      save

    2. Generate the public/private key pair. To generate a public/private key pair, which the Juniper Networks security device uses in its certificate request, use the following command:

      exec pki rsa new-key 2048

      After the security device generates a key pair, it composes the following certificate request:

      -----BEGIN CERTIFICATE REQUEST-----
      MIIB0jCCATsCAQAwZTENMAsGA1UEChMESk5QUjEZMBcGA1UEAxMQMDA0MzAyMjAw
      MjAwMDE4NjEQMA4GA1UEAxMHcnNhLWtleTEYMBYGA1UEAxMPd3d3Lmp1bmlwZXIu
      bmV0MQ0wCwYDVQQDEwQ1c3NsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP
      aAtelkL4HxQmO1w1jv9NMmrWnzdVYnGrKrXnw2MaB3xEgouWrlymEkZetA2ouKeA
      D24SL0h1YvJ7Sd9PvkhwHOnvP1zkOCWA84TgvxBzcAyeBnS1UpSwcC0admX0Da6T
      80EUuGrmUWodddRFUc8o5d2VGTUOM7WgcFDZRSGQGwIDAQABoC0wKwYJKoZIhvcN
      AQkOMR4wHDAaBgNVHREEEzARgg93d3cuanVuaXBlci5uZXQwDQYJKoZIhvcNAQEF
      BQADgYEAgvDXI4H905y/2+k4omo9Y4XQrgq44Rj3jqXAYYMgQBd0Q8HoyL5NE3+i
      QUkiYjMTWO2wIWzEr4u/tdAISEVTu03achZa3zIkUtn8sD/VYKhFlyPCBVvMiaHd
      FzIHUgBuMrr+awowJDG6wARhR75w7pORXy7+aAmvIjew8YRre9s=
      -----END CERTIFICATE REQUEST-----

      To learn the ID number for the key pair, use the following command:

      get pki x509 list key-pair

      Getting OTHER PKI OBJECT ...
      IDX ID num X509 Certificate Subject Distinguish Name
      ========================================================
      0000 176095259
      CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      ========================================================

    3. Generate the self-signed certificate. Use the following command, which references the key-pair ID number that was learned from the output of the previous command:

      exec pki x509 self-signed-cert key-pair 176095259 (from output of previous command)

      To view the newly created self-signed certificate, use the following command:

      get pki x509 list local-cert

      Getting LOCAL CERT ...
      IDX ID num X509 Certificate Subject Distinguish Name
      ========================================================
      0000 176095261 LOCAL CERT friendly name <29>
      LOCAL CERT friendly name <29>
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      Expire on 10-19-2009 17:20, Issued By:
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      ========================================================

      To view the certificate in more detail, run the following command by using the ID number of the certificate:

      get pki x509 cert 176095261 (from output of previous command)

      -0001 176095261 LOCAL CERT friendly name <29>
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
      Expire on 10-19-2009 17:20, Issued By:
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
      Serial Number: <9d1c03365a5caa172ace4f82bb5ec9da>
      subject alt name extension:
      email(1): (empty)
      fqdn(2): (www.juniper.net)
      ipaddr(7): (empty)
      no renew
      finger print (md5) <be9e0280 02bdd9d1 175caf23 6345198e>
      finger print (sha) <87e0eee0 c06f9bac 9098bd02 0e631c1b 26e37e0e>
      subject name hash: <d82be8ae 4e71a576 2e3f06fc a98319a3 5c8c6c27>
      use count: <1>
      flag <00000000>

      You can copy the subject name and fingerprint from this output and communicate it to other administrators who intend to use SSL when managing the security device. When they initiate an SSL connection, they can then use this information to ensure that the certificate they receive is indeed from the security device.

    1. Assign the certificate for use with SSL.To assign the new system self-signed certificate for use with HTTP for SSL, refer to KB11496 - How to change the certificate used for SSL (HTTPS) WebUI Management:

      set ssl enable
      set ssl encrypt "rc4" md5
      set ssl cert-hash "d82be8ae4e71a5762e3f06fca98319a35c8c6c27"       (from hash of previous command)

      To verify this last step:

      get ssl
      web SSL enable.
      web SSL port number(443).
      web SSL cert: initialized.
      Subject DN(CN=self-signed,CN=4ssl,CN=www.abc123.net,CN=rsa-key,CN=0043022002000186,O=abc123)
      web SSL cipher(RC4_MD5).

[ScreenOS] How to manually generate a new system self-signed certificate to replace the expired system self-signed certificate without resetting the firewall的更多相关文章

  1. NHibernate无法将类型“System.Collections.Generic.IList<T>”隐式转换为“System.Collections.Generic.IList<IT>

    API有一个需要实现的抽象方法: public IList<IPermission> GetPermissions(); 需要注意的是IList<IPermission>这个泛 ...

  2. 問題排查:System.BadImageFormatException: 未能加载文件或程序集“System.ServiceModel

    錯誤訊息如下: System.BadImageFormatException: 未能加载文件或程序集“System.ServiceModel, Version=3.0.0.0, Culture=neu ...

  3. HttpClient exception:ExceptionType:System.Threading.Tasks.TaskCanceledException: The operation was canceled. ---> System.IO.IOException: Unable to read data from the transport connection: Operation ca

    error msg: System.Threading.Tasks.TaskCanceledException: The operation was canceled. ---> System. ...

  4. 对于System.Net.Http的学习(一)——System.Net.Http 简介

    System.Net.Http 是微软推出的最新的 HTTP 应用程序的编程接口, 微软称之为“现代化的 HTTP 编程接口”, 主要提供如下内容: 1. 用户通过 HTTP 使用现代化的 Web S ...

  5. 对于System.Net.Http的学习(一)——System.Net.Http 简介(转)

    最新在学习System.Net.Http的知识,看到有篇文章写的十分详细,就想转过来,自己记录下.原地址是http://www.cnblogs.com/chillsrc/p/3439215.html? ...

  6. alter system archive log current作用及和alter system switch logfile区别

    alter system archive log current 是归档当前的重做日志文件,不管自动归档有没有打都归档. alter system switch logfile 是强制日志切换,不一定 ...

  7. System.Collections空间下的Hashtable类与System.Collections.Specialized下的StringDictionary的一点小区别

    哎.有一周没有写自己的博客. 最近在做一个调用web服务的小程序,没有使用c#自动生成的代理类,而是使用http-get.post.以及soap的方式去请求的,使用这http请求这种方式需要自己去拼参 ...

  8. [转]ADT中通过DDMS导入文件出错ddms transfer error: Read-only file system,Failed to push selection: Read-only file system

    [已解决] 原文  http://www.crifan.com/ddms_import_file_error_transfer_error_read_only_file_system/ 想要通过adt ...

  9. Java获取系统环境变量(System Environment Variable)和系统属性(System Properties)以及启动参数的方法

    系统环境变量(System Environment Variable): 在Linux下使用export $ENV=123指定的值.获取的方式如下: Map<String,String> ...

随机推荐

  1. Oracle 之 触发器

    触发器是特定的事件出现的时候,自动隐式执行代码块,这个过程用户无法控制,用户只能控制触发的事件,触发后的操作,触发过程是自动执行的. 定义触发器: 1.名称 2.触发时间:是在执行事件之前(befor ...

  2. 状压DP操作

    1.’&’符号,x&y,会将两个十进制数在二进制下进行与运算,然后返回其十进制下的值.例如3(11)&2(10)=2(10). 2.’|’符号,x|y,会将两个十进制数在二进制 ...

  3. js常用操作

    map操作:var map = {};map["a"] = 1;map["b"] = 2; console.log(Object.keys(map)); //[ ...

  4. MyEclipse使用教程:使用主题自定义工作台外观

    [MyEclipse CI 2019.4.0安装包下载] 您可以通过选择Window>Preferences>General>Appearance来使用主题自定义的工作台外观,可以从 ...

  5. git shell 右键启动注册表

    Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\Directory\Background\shell\Git Bash Here] ): ...

  6. MegaPixImage插件代码(new MegaPixImage)

    /** * Mega pixel image rendering library for iOS6 Safari * * Fixes iOS6 Safari's image file renderin ...

  7. 软件的三大类型-单机类型、BS类型、CS类型

    单机类型:最开始的软件就是那些不需要联网的单机软件. CS类型:有的程序需要统一管理软件中使用的数据, 所以就将保存数据的数据库统一存放在一台主机中, 所有的用户在需要数据时都要从主机获取, 这时就分 ...

  8. HBase(1.0.2) API数据模型

    几个相关类与HBase数据模型之间的对应关系 java类 HBase数据模型 HBaseAdmin 数据库(DataBase) HBaseConfiguration HTable 表(Table) H ...

  9. Let Us Adore 让我们来敬拜祂 中文歌词

      Verse 1 诸天宣告 神的荣耀 万国万民 都将赞美 宣扬祂奇妙 The heavens declare The glory of God And all of the world Will j ...

  10. XML 简介 – 什么是 XML?

    XML 指可扩展标记语言(eXtensible Markup Language). XML 被设计用来传输和存储数据. XML 很重要,也很容易学习. <?xml version="1 ...