SUMMARY:

This article provides information on how to manually generate a new system self-signed certificate to replace the expired system self-signed certificate, without resetting the firewall.

SYMPTOMS:

The system self-signed certificate has expired and when a new one is manually generated, it still shows the expired date.

CAUSE:

 

SOLUTION:

The process to automatically generate a new system self-signed certificate is to delete the expired system self-signed certificate and then reset the device. A new system self-signed certificate will be automatically generated when the device comes back up.

However, in certain operating environments, resetting the firewall is not an option. In such cases, the process to manually generate a new system self-signed certificate, without resetting the firewall, is provided in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03, in the "Manually Creating Self-Signed Certificates" section.

However, prior to performing this procedure, you have to delete the expired system self-signed certificate:

delete pki object-id system

When the deletion is complete, perform the following procedure, as mentioned in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03:

    1. Define the certificate attributes:

      set pki x509 dn name 4ssl
      set pki x509 dn org-name abc123
      set pki x509 cert-fqdn www.abc123.com
      save

    2. Generate the public/private key pair. To generate a public/private key pair, which the Juniper Networks security device uses in its certificate request, use the following command:

      exec pki rsa new-key 2048

      After the security device generates a key pair, it composes the following certificate request:

      -----BEGIN CERTIFICATE REQUEST-----
      MIIB0jCCATsCAQAwZTENMAsGA1UEChMESk5QUjEZMBcGA1UEAxMQMDA0MzAyMjAw
      MjAwMDE4NjEQMA4GA1UEAxMHcnNhLWtleTEYMBYGA1UEAxMPd3d3Lmp1bmlwZXIu
      bmV0MQ0wCwYDVQQDEwQ1c3NsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP
      aAtelkL4HxQmO1w1jv9NMmrWnzdVYnGrKrXnw2MaB3xEgouWrlymEkZetA2ouKeA
      D24SL0h1YvJ7Sd9PvkhwHOnvP1zkOCWA84TgvxBzcAyeBnS1UpSwcC0admX0Da6T
      80EUuGrmUWodddRFUc8o5d2VGTUOM7WgcFDZRSGQGwIDAQABoC0wKwYJKoZIhvcN
      AQkOMR4wHDAaBgNVHREEEzARgg93d3cuanVuaXBlci5uZXQwDQYJKoZIhvcNAQEF
      BQADgYEAgvDXI4H905y/2+k4omo9Y4XQrgq44Rj3jqXAYYMgQBd0Q8HoyL5NE3+i
      QUkiYjMTWO2wIWzEr4u/tdAISEVTu03achZa3zIkUtn8sD/VYKhFlyPCBVvMiaHd
      FzIHUgBuMrr+awowJDG6wARhR75w7pORXy7+aAmvIjew8YRre9s=
      -----END CERTIFICATE REQUEST-----

      To learn the ID number for the key pair, use the following command:

      get pki x509 list key-pair

      Getting OTHER PKI OBJECT ...
      IDX ID num X509 Certificate Subject Distinguish Name
      ========================================================
      0000 176095259
      CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      ========================================================

    3. Generate the self-signed certificate. Use the following command, which references the key-pair ID number that was learned from the output of the previous command:

      exec pki x509 self-signed-cert key-pair 176095259 (from output of previous command)

      To view the newly created self-signed certificate, use the following command:

      get pki x509 list local-cert

      Getting LOCAL CERT ...
      IDX ID num X509 Certificate Subject Distinguish Name
      ========================================================
      0000 176095261 LOCAL CERT friendly name <29>
      LOCAL CERT friendly name <29>
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      Expire on 10-19-2009 17:20, Issued By:
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      ========================================================

      To view the certificate in more detail, run the following command by using the ID number of the certificate:

      get pki x509 cert 176095261 (from output of previous command)

      -0001 176095261 LOCAL CERT friendly name <29>
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
      Expire on 10-19-2009 17:20, Issued By:
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
      Serial Number: <9d1c03365a5caa172ace4f82bb5ec9da>
      subject alt name extension:
      email(1): (empty)
      fqdn(2): (www.juniper.net)
      ipaddr(7): (empty)
      no renew
      finger print (md5) <be9e0280 02bdd9d1 175caf23 6345198e>
      finger print (sha) <87e0eee0 c06f9bac 9098bd02 0e631c1b 26e37e0e>
      subject name hash: <d82be8ae 4e71a576 2e3f06fc a98319a3 5c8c6c27>
      use count: <1>
      flag <00000000>

      You can copy the subject name and fingerprint from this output and communicate it to other administrators who intend to use SSL when managing the security device. When they initiate an SSL connection, they can then use this information to ensure that the certificate they receive is indeed from the security device.

    1. Assign the certificate for use with SSL.To assign the new system self-signed certificate for use with HTTP for SSL, refer to KB11496 - How to change the certificate used for SSL (HTTPS) WebUI Management:

      set ssl enable
      set ssl encrypt "rc4" md5
      set ssl cert-hash "d82be8ae4e71a5762e3f06fca98319a35c8c6c27"       (from hash of previous command)

      To verify this last step:

      get ssl
      web SSL enable.
      web SSL port number(443).
      web SSL cert: initialized.
      Subject DN(CN=self-signed,CN=4ssl,CN=www.abc123.net,CN=rsa-key,CN=0043022002000186,O=abc123)
      web SSL cipher(RC4_MD5).

[ScreenOS] How to manually generate a new system self-signed certificate to replace the expired system self-signed certificate without resetting the firewall的更多相关文章

  1. NHibernate无法将类型“System.Collections.Generic.IList<T>”隐式转换为“System.Collections.Generic.IList<IT>

    API有一个需要实现的抽象方法: public IList<IPermission> GetPermissions(); 需要注意的是IList<IPermission>这个泛 ...

  2. 問題排查:System.BadImageFormatException: 未能加载文件或程序集“System.ServiceModel

    錯誤訊息如下: System.BadImageFormatException: 未能加载文件或程序集“System.ServiceModel, Version=3.0.0.0, Culture=neu ...

  3. HttpClient exception:ExceptionType:System.Threading.Tasks.TaskCanceledException: The operation was canceled. ---> System.IO.IOException: Unable to read data from the transport connection: Operation ca

    error msg: System.Threading.Tasks.TaskCanceledException: The operation was canceled. ---> System. ...

  4. 对于System.Net.Http的学习(一)——System.Net.Http 简介

    System.Net.Http 是微软推出的最新的 HTTP 应用程序的编程接口, 微软称之为“现代化的 HTTP 编程接口”, 主要提供如下内容: 1. 用户通过 HTTP 使用现代化的 Web S ...

  5. 对于System.Net.Http的学习(一)——System.Net.Http 简介(转)

    最新在学习System.Net.Http的知识,看到有篇文章写的十分详细,就想转过来,自己记录下.原地址是http://www.cnblogs.com/chillsrc/p/3439215.html? ...

  6. alter system archive log current作用及和alter system switch logfile区别

    alter system archive log current 是归档当前的重做日志文件,不管自动归档有没有打都归档. alter system switch logfile 是强制日志切换,不一定 ...

  7. System.Collections空间下的Hashtable类与System.Collections.Specialized下的StringDictionary的一点小区别

    哎.有一周没有写自己的博客. 最近在做一个调用web服务的小程序,没有使用c#自动生成的代理类,而是使用http-get.post.以及soap的方式去请求的,使用这http请求这种方式需要自己去拼参 ...

  8. [转]ADT中通过DDMS导入文件出错ddms transfer error: Read-only file system,Failed to push selection: Read-only file system

    [已解决] 原文  http://www.crifan.com/ddms_import_file_error_transfer_error_read_only_file_system/ 想要通过adt ...

  9. Java获取系统环境变量(System Environment Variable)和系统属性(System Properties)以及启动参数的方法

    系统环境变量(System Environment Variable): 在Linux下使用export $ENV=123指定的值.获取的方式如下: Map<String,String> ...

随机推荐

  1. httprunner如何提取数据串联上下游接口

    httprunner进行接口测试时,从上一个接口提取参数传递给下游接口,如何获取数据里最后一个值? 突然被学员问道一个httprunner的问题,惭愧的是大猫之前没有是通过httprunner,又不好 ...

  2. 转载:利用php数组函数进行函数式编程

    因为一个BUG, 我在一个摇摇欲坠,几乎碰一下就会散架的项目中某一个角落中发现下面这样一段代码 这段程序与那个BUG有密切的关系. 我来回反复的捉摸这段代码, 发现这段代码实现了两个功能 第一个是在一 ...

  3. 跨域 (3) window.name

    window对象有一个name属性,该属性有一个特征:即在一个窗口的生命周期内,窗口载入的所有的页面都是共享一个window.name的,每一个页面对window.name都有读写的权限,window ...

  4. 前端每日实战:157# 视频演示如何用纯 CSS 创作一个棋盘错觉动画(实际上每一行都是平行的)

    效果预览 按下右侧的"点击预览"按钮可以在当前页面预览,点击链接可以全屏预览. https://codepen.io/comehope/pen/VEyoGj 可交互视频 此视频是可 ...

  5. 常见状态码StatusCode

    当浏览者访问一个网页时,浏览者的浏览器会向网页所在服务器发出请求.当浏览器接收并显示网页前,此网页所在的服务器会返回一个包含HTTP状态码的信息头(server header)用以响应浏览器的请求. ...

  6. CMDB表结构设计

    服务器 内存.cpu.disk.nic.raid.sn.model.os.status. disk_info = { } SERVER001 storage .... NET001 网络设备 eth ...

  7. JAVA笔记15-线程同步

    一.概念 1.多个线程之间访问同一资源,进行协调的过程是线程同步.例如两个人同时操作同一银行账户.解决方法:加锁 2.Java种引入对象互斥锁的概念,保证共享数据操作的完整性.每个对象都对应于一个可称 ...

  8. MySQL错误日志显示(Got an error reading communication packets)的问题

    错误显示: 2019-05-28T12:54:08.267934+08:00 820396 [Note] Aborted connection 820396 to db: 'Databaseplatf ...

  9. 【知识】定时器setTimeout/setInterval执行时this指针指向问题

    [问题描述] setTimetout/setInterval中this指针指向window,以下是一个小demo: var demoChange = { key: true, changeFun() ...

  10. HDU1022--Train Problem I(栈的应用)

    Problem Description As the new term comes, the Ignatius Train Station is very busy nowadays. A lot o ...