SUMMARY:

This article provides information on how to manually generate a new system self-signed certificate to replace the expired system self-signed certificate, without resetting the firewall.

SYMPTOMS:

The system self-signed certificate has expired and when a new one is manually generated, it still shows the expired date.

CAUSE:

 

SOLUTION:

The process to automatically generate a new system self-signed certificate is to delete the expired system self-signed certificate and then reset the device. A new system self-signed certificate will be automatically generated when the device comes back up.

However, in certain operating environments, resetting the firewall is not an option. In such cases, the process to manually generate a new system self-signed certificate, without resetting the firewall, is provided in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03, in the "Manually Creating Self-Signed Certificates" section.

However, prior to performing this procedure, you have to delete the expired system self-signed certificate:

delete pki object-id system

When the deletion is complete, perform the following procedure, as mentioned in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03:

    1. Define the certificate attributes:

      set pki x509 dn name 4ssl
      set pki x509 dn org-name abc123
      set pki x509 cert-fqdn www.abc123.com
      save

    2. Generate the public/private key pair. To generate a public/private key pair, which the Juniper Networks security device uses in its certificate request, use the following command:

      exec pki rsa new-key 2048

      After the security device generates a key pair, it composes the following certificate request:

      -----BEGIN CERTIFICATE REQUEST-----
      MIIB0jCCATsCAQAwZTENMAsGA1UEChMESk5QUjEZMBcGA1UEAxMQMDA0MzAyMjAw
      MjAwMDE4NjEQMA4GA1UEAxMHcnNhLWtleTEYMBYGA1UEAxMPd3d3Lmp1bmlwZXIu
      bmV0MQ0wCwYDVQQDEwQ1c3NsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP
      aAtelkL4HxQmO1w1jv9NMmrWnzdVYnGrKrXnw2MaB3xEgouWrlymEkZetA2ouKeA
      D24SL0h1YvJ7Sd9PvkhwHOnvP1zkOCWA84TgvxBzcAyeBnS1UpSwcC0admX0Da6T
      80EUuGrmUWodddRFUc8o5d2VGTUOM7WgcFDZRSGQGwIDAQABoC0wKwYJKoZIhvcN
      AQkOMR4wHDAaBgNVHREEEzARgg93d3cuanVuaXBlci5uZXQwDQYJKoZIhvcNAQEF
      BQADgYEAgvDXI4H905y/2+k4omo9Y4XQrgq44Rj3jqXAYYMgQBd0Q8HoyL5NE3+i
      QUkiYjMTWO2wIWzEr4u/tdAISEVTu03achZa3zIkUtn8sD/VYKhFlyPCBVvMiaHd
      FzIHUgBuMrr+awowJDG6wARhR75w7pORXy7+aAmvIjew8YRre9s=
      -----END CERTIFICATE REQUEST-----

      To learn the ID number for the key pair, use the following command:

      get pki x509 list key-pair

      Getting OTHER PKI OBJECT ...
      IDX ID num X509 Certificate Subject Distinguish Name
      ========================================================
      0000 176095259
      CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      ========================================================

    3. Generate the self-signed certificate. Use the following command, which references the key-pair ID number that was learned from the output of the previous command:

      exec pki x509 self-signed-cert key-pair 176095259 (from output of previous command)

      To view the newly created self-signed certificate, use the following command:

      get pki x509 list local-cert

      Getting LOCAL CERT ...
      IDX ID num X509 Certificate Subject Distinguish Name
      ========================================================
      0000 176095261 LOCAL CERT friendly name <29>
      LOCAL CERT friendly name <29>
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      Expire on 10-19-2009 17:20, Issued By:
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      ========================================================

      To view the certificate in more detail, run the following command by using the ID number of the certificate:

      get pki x509 cert 176095261 (from output of previous command)

      -0001 176095261 LOCAL CERT friendly name <29>
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
      Expire on 10-19-2009 17:20, Issued By:
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
      Serial Number: <9d1c03365a5caa172ace4f82bb5ec9da>
      subject alt name extension:
      email(1): (empty)
      fqdn(2): (www.juniper.net)
      ipaddr(7): (empty)
      no renew
      finger print (md5) <be9e0280 02bdd9d1 175caf23 6345198e>
      finger print (sha) <87e0eee0 c06f9bac 9098bd02 0e631c1b 26e37e0e>
      subject name hash: <d82be8ae 4e71a576 2e3f06fc a98319a3 5c8c6c27>
      use count: <1>
      flag <00000000>

      You can copy the subject name and fingerprint from this output and communicate it to other administrators who intend to use SSL when managing the security device. When they initiate an SSL connection, they can then use this information to ensure that the certificate they receive is indeed from the security device.

    1. Assign the certificate for use with SSL.To assign the new system self-signed certificate for use with HTTP for SSL, refer to KB11496 - How to change the certificate used for SSL (HTTPS) WebUI Management:

      set ssl enable
      set ssl encrypt "rc4" md5
      set ssl cert-hash "d82be8ae4e71a5762e3f06fca98319a35c8c6c27" 
      (from hash of previous command)

      To verify this last step:

      get ssl
      web SSL enable.
      web SSL port number(443).
      web SSL cert: initialized.
      Subject DN(CN=self-signed,CN=4ssl,CN=www.abc123.net,CN=rsa-key,CN=0043022002000186,O=abc123)
      web SSL cipher(RC4_MD5).

[ScreenOS] How to manually generate a new system self-signed certificate to replace the expired system self-signed certificate without resetting the firewall的更多相关文章

  1. NHibernate无法将类型“System.Collections.Generic.IList<T>”隐式转换为“System.Collections.Generic.IList<IT>

    API有一个需要实现的抽象方法: public IList<IPermission> GetPermissions(); 需要注意的是IList<IPermission>这个泛 ...

  2. 問題排查:System.BadImageFormatException: 未能加载文件或程序集“System.ServiceModel

    錯誤訊息如下: System.BadImageFormatException: 未能加载文件或程序集“System.ServiceModel, Version=3.0.0.0, Culture=neu ...

  3. HttpClient exception:ExceptionType:System.Threading.Tasks.TaskCanceledException: The operation was canceled. ---> System.IO.IOException: Unable to read data from the transport connection: Operation ca

    error msg: System.Threading.Tasks.TaskCanceledException: The operation was canceled. ---> System. ...

  4. 对于System.Net.Http的学习(一)——System.Net.Http 简介

    System.Net.Http 是微软推出的最新的 HTTP 应用程序的编程接口, 微软称之为“现代化的 HTTP 编程接口”, 主要提供如下内容: 1. 用户通过 HTTP 使用现代化的 Web S ...

  5. 对于System.Net.Http的学习(一)——System.Net.Http 简介(转)

    最新在学习System.Net.Http的知识,看到有篇文章写的十分详细,就想转过来,自己记录下.原地址是http://www.cnblogs.com/chillsrc/p/3439215.html? ...

  6. alter system archive log current作用及和alter system switch logfile区别

    alter system archive log current 是归档当前的重做日志文件,不管自动归档有没有打都归档. alter system switch logfile 是强制日志切换,不一定 ...

  7. System.Collections空间下的Hashtable类与System.Collections.Specialized下的StringDictionary的一点小区别

    哎.有一周没有写自己的博客. 最近在做一个调用web服务的小程序,没有使用c#自动生成的代理类,而是使用http-get.post.以及soap的方式去请求的,使用这http请求这种方式需要自己去拼参 ...

  8. [转]ADT中通过DDMS导入文件出错ddms transfer error: Read-only file system,Failed to push selection: Read-only file system

    [已解决] 原文  http://www.crifan.com/ddms_import_file_error_transfer_error_read_only_file_system/ 想要通过adt ...

  9. Java获取系统环境变量(System Environment Variable)和系统属性(System Properties)以及启动参数的方法

    系统环境变量(System Environment Variable): 在Linux下使用export $ENV=123指定的值.获取的方式如下: Map<String,String> ...

随机推荐

  1. Linux中配置jdk环境变量出错:bad ELF interpreter: No such file or directory解决方法

    yum install glibc.i686 重新安装,javac成功 如果还有如下类系错误 再继续安装包 error while loading shared libraries: libstdc+ ...

  2. Codeforces Gym 100814C Connecting Graph 树剖并查集/LCA并查集

    初始的时候有一个只有n个点的图(n <= 1e5), 现在进行m( m <= 1e5 )次操作 每次操作要么添加一条无向边, 要么询问之前结点u和v最早在哪一次操作的时候连通了 /* * ...

  3. Angular7和PrimeNg集成

    常规操作之后,随便加了一个控件发现报错了.错误信息看起来是不能识别PrimeNg的组件,经过一番折腾发现.因为用到了ngModel,需要导入FormsModule.因为新建的工程没有导入,导入之后就好 ...

  4. app 进入后台进行模糊处理

    金融类app防止信息在后台中被一些恶意截屏软件进行截屏,对进入后台的app做模糊处理 - (void)applicationWillResignActive:(UIApplication *)appl ...

  5. 【30分钟学完】canvas动画|游戏基础(extra1):颜色那些事

    前言 本篇主要讲解关于计算机颜色系统的概念,后续结合一些canvas的应用.因为是"你不知道也没关系"的边缘知识,所以作为本系列教程的扩展,没有兴趣的同学可以跳过. 开始我们万紫千 ...

  6. WPF界面控件Telerik UI for WPF发布R2 2019 SP1|实现新的属性

    Telerik UI for WPF拥有超过100个控件来创建美观.高性能的桌面应用程序,同时还能快速构建企业级办公WPF应用程序.UI for WPF支持MVVM.触摸等,创建的应用程序可靠且结构良 ...

  7. TeXstudio设置中文和编码问题

    1 菜单中文显示 2 针对内容中文乱码问题 永久 临时

  8. python---注册表操作

    手动打开注册表   WIN+R      regedit 利用QSettings 一.创建子健和键值对 settings = QSettings("HKEY_CURRENT_USER\\So ...

  9. JPA学习(二、JPA_基本注解)

    框架学习之JPA(二) JPA是Java Persistence API的简称,中文名Java持久层API,是JDK 5.0注解或XML描述对象-关系表的映射关系,并将运行期的实体对象持久化到数据库中 ...

  10. php中文件断点上传怎么实现?

    1.使用PHP的创始人 Rasmus Lerdorf 写的APC扩展模块来实现(http://pecl.php.net/package/apc) APC实现方法: 安装APC,参照官方文档安装,可以使 ...