SUMMARY:

This article provides information on how to manually generate a new system self-signed certificate to replace the expired system self-signed certificate, without resetting the firewall.

SYMPTOMS:

The system self-signed certificate has expired and when a new one is manually generated, it still shows the expired date.

CAUSE:

 

SOLUTION:

The process to automatically generate a new system self-signed certificate is to delete the expired system self-signed certificate and then reset the device. A new system self-signed certificate will be automatically generated when the device comes back up.

However, in certain operating environments, resetting the firewall is not an option. In such cases, the process to manually generate a new system self-signed certificate, without resetting the firewall, is provided in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03, in the "Manually Creating Self-Signed Certificates" section.

However, prior to performing this procedure, you have to delete the expired system self-signed certificate:

delete pki object-id system

When the deletion is complete, perform the following procedure, as mentioned in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03:

    1. Define the certificate attributes:

      set pki x509 dn name 4ssl
      set pki x509 dn org-name abc123
      set pki x509 cert-fqdn www.abc123.com
      save

    2. Generate the public/private key pair. To generate a public/private key pair, which the Juniper Networks security device uses in its certificate request, use the following command:

      exec pki rsa new-key 2048

      After the security device generates a key pair, it composes the following certificate request:

      -----BEGIN CERTIFICATE REQUEST-----
      MIIB0jCCATsCAQAwZTENMAsGA1UEChMESk5QUjEZMBcGA1UEAxMQMDA0MzAyMjAw
      MjAwMDE4NjEQMA4GA1UEAxMHcnNhLWtleTEYMBYGA1UEAxMPd3d3Lmp1bmlwZXIu
      bmV0MQ0wCwYDVQQDEwQ1c3NsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP
      aAtelkL4HxQmO1w1jv9NMmrWnzdVYnGrKrXnw2MaB3xEgouWrlymEkZetA2ouKeA
      D24SL0h1YvJ7Sd9PvkhwHOnvP1zkOCWA84TgvxBzcAyeBnS1UpSwcC0admX0Da6T
      80EUuGrmUWodddRFUc8o5d2VGTUOM7WgcFDZRSGQGwIDAQABoC0wKwYJKoZIhvcN
      AQkOMR4wHDAaBgNVHREEEzARgg93d3cuanVuaXBlci5uZXQwDQYJKoZIhvcNAQEF
      BQADgYEAgvDXI4H905y/2+k4omo9Y4XQrgq44Rj3jqXAYYMgQBd0Q8HoyL5NE3+i
      QUkiYjMTWO2wIWzEr4u/tdAISEVTu03achZa3zIkUtn8sD/VYKhFlyPCBVvMiaHd
      FzIHUgBuMrr+awowJDG6wARhR75w7pORXy7+aAmvIjew8YRre9s=
      -----END CERTIFICATE REQUEST-----

      To learn the ID number for the key pair, use the following command:

      get pki x509 list key-pair

      Getting OTHER PKI OBJECT ...
      IDX ID num X509 Certificate Subject Distinguish Name
      ========================================================
      0000 176095259
      CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      ========================================================

    3. Generate the self-signed certificate. Use the following command, which references the key-pair ID number that was learned from the output of the previous command:

      exec pki x509 self-signed-cert key-pair 176095259 (from output of previous command)

      To view the newly created self-signed certificate, use the following command:

      get pki x509 list local-cert

      Getting LOCAL CERT ...
      IDX ID num X509 Certificate Subject Distinguish Name
      ========================================================
      0000 176095261 LOCAL CERT friendly name <29>
      LOCAL CERT friendly name <29>
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      Expire on 10-19-2009 17:20, Issued By:
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      ========================================================

      To view the certificate in more detail, run the following command by using the ID number of the certificate:

      get pki x509 cert 176095261 (from output of previous command)

      -0001 176095261 LOCAL CERT friendly name <29>
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
      Expire on 10-19-2009 17:20, Issued By:
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
      Serial Number: <9d1c03365a5caa172ace4f82bb5ec9da>
      subject alt name extension:
      email(1): (empty)
      fqdn(2): (www.juniper.net)
      ipaddr(7): (empty)
      no renew
      finger print (md5) <be9e0280 02bdd9d1 175caf23 6345198e>
      finger print (sha) <87e0eee0 c06f9bac 9098bd02 0e631c1b 26e37e0e>
      subject name hash: <d82be8ae 4e71a576 2e3f06fc a98319a3 5c8c6c27>
      use count: <1>
      flag <00000000>

      You can copy the subject name and fingerprint from this output and communicate it to other administrators who intend to use SSL when managing the security device. When they initiate an SSL connection, they can then use this information to ensure that the certificate they receive is indeed from the security device.

    1. Assign the certificate for use with SSL.To assign the new system self-signed certificate for use with HTTP for SSL, refer to KB11496 - How to change the certificate used for SSL (HTTPS) WebUI Management:

      set ssl enable
      set ssl encrypt "rc4" md5
      set ssl cert-hash "d82be8ae4e71a5762e3f06fca98319a35c8c6c27"       (from hash of previous command)

      To verify this last step:

      get ssl
      web SSL enable.
      web SSL port number(443).
      web SSL cert: initialized.
      Subject DN(CN=self-signed,CN=4ssl,CN=www.abc123.net,CN=rsa-key,CN=0043022002000186,O=abc123)
      web SSL cipher(RC4_MD5).

[ScreenOS] How to manually generate a new system self-signed certificate to replace the expired system self-signed certificate without resetting the firewall的更多相关文章

  1. NHibernate无法将类型“System.Collections.Generic.IList<T>”隐式转换为“System.Collections.Generic.IList<IT>

    API有一个需要实现的抽象方法: public IList<IPermission> GetPermissions(); 需要注意的是IList<IPermission>这个泛 ...

  2. 問題排查:System.BadImageFormatException: 未能加载文件或程序集“System.ServiceModel

    錯誤訊息如下: System.BadImageFormatException: 未能加载文件或程序集“System.ServiceModel, Version=3.0.0.0, Culture=neu ...

  3. HttpClient exception:ExceptionType:System.Threading.Tasks.TaskCanceledException: The operation was canceled. ---> System.IO.IOException: Unable to read data from the transport connection: Operation ca

    error msg: System.Threading.Tasks.TaskCanceledException: The operation was canceled. ---> System. ...

  4. 对于System.Net.Http的学习(一)——System.Net.Http 简介

    System.Net.Http 是微软推出的最新的 HTTP 应用程序的编程接口, 微软称之为“现代化的 HTTP 编程接口”, 主要提供如下内容: 1. 用户通过 HTTP 使用现代化的 Web S ...

  5. 对于System.Net.Http的学习(一)——System.Net.Http 简介(转)

    最新在学习System.Net.Http的知识,看到有篇文章写的十分详细,就想转过来,自己记录下.原地址是http://www.cnblogs.com/chillsrc/p/3439215.html? ...

  6. alter system archive log current作用及和alter system switch logfile区别

    alter system archive log current 是归档当前的重做日志文件,不管自动归档有没有打都归档. alter system switch logfile 是强制日志切换,不一定 ...

  7. System.Collections空间下的Hashtable类与System.Collections.Specialized下的StringDictionary的一点小区别

    哎.有一周没有写自己的博客. 最近在做一个调用web服务的小程序,没有使用c#自动生成的代理类,而是使用http-get.post.以及soap的方式去请求的,使用这http请求这种方式需要自己去拼参 ...

  8. [转]ADT中通过DDMS导入文件出错ddms transfer error: Read-only file system,Failed to push selection: Read-only file system

    [已解决] 原文  http://www.crifan.com/ddms_import_file_error_transfer_error_read_only_file_system/ 想要通过adt ...

  9. Java获取系统环境变量(System Environment Variable)和系统属性(System Properties)以及启动参数的方法

    系统环境变量(System Environment Variable): 在Linux下使用export $ENV=123指定的值.获取的方式如下: Map<String,String> ...

随机推荐

  1. 2019牛客暑期多校训练营(第一场) B Integration (数学)

    链接:https://ac.nowcoder.com/acm/contest/881/B 来源:牛客网 Integration 时间限制:C/C++ 2秒,其他语言4秒 空间限制:C/C++ 5242 ...

  2. jquery预览本地图片

    本人qq群也有许多的技术文档,希望可以为你提供一些帮助(非技术的勿加). QQ群:   281442983 (点击链接加入群:http://jq.qq.com/?_wv=1027&k=29Lo ...

  3. Python模块-requests模块使用

    写在前面 这篇文章是我照着廖雪峰python网站学习的,大致内容差不多,多了我一丢丢的自己的想法.如果发现有什么不对的话请及时联系我.qq:472668561 参考链接:https://www.lia ...

  4. JSP 和Servlet 有有什么关系?

    Servlet是一个特殊的Java程序,它运行于服务器的JVM中,能够依靠服务器的支持向浏览器提供显示内容. JSP本质上是Servlet的一种简易形式, JSP会被服务器处理成一个类似于Servle ...

  5. The Preliminary Contest for ICPC Asia Shanghai 2019 D. Counting Sequences I

    题目:https://nanti.jisuanke.com/t/41412思路:dfs           先取ai>2  2^12>3000 因此至多取11个 其余用1补        ...

  6. js 中使用typeof

    >typeof(null) <"object" 对null执行typeof预算,结果返回字符串'object',也就是说,可以将null认为是一个特殊的对象值,含义是“ ...

  7. 12. ClustrixDB 为容错和可用性分配磁盘空间

    集群必须包含足够的空闲磁盘空间,以便从节点或区域故障中自动恢复.要计算在发生故障后仍然允许ClustrixDB完全重新保护数据的情况下可以使用的最大磁盘空间量,可以使用以下公式: 最大磁盘利用率% = ...

  8. teradata安装

    一,下载 步骤1 - 从链接下载所需的VM版本,http://downloads.teradata.com/download/database/teradata-express-for-vmware- ...

  9. BZOJ 4821: [Sdoi2017]相关分析 线段树 + 卡精

    考试的时候切掉了,然而卡精 + 有一个地方忘开 $long long$,完美挂掉 $50$pts. 把式子化简一下,然后直接拿线段树来维护即可. Code: // luogu-judger-enabl ...

  10. 51 Nod 1678 lyk与gcd(容斥原理)

    1678 lyk与gcd  基准时间限制:2 秒 空间限制:131072 KB 分值: 80 难度:5级算法题  收藏  关注 这天,lyk又和gcd杠上了. 它拥有一个n个数的数列,它想实现两种操作 ...