SUMMARY:

This article provides information on how to manually generate a new system self-signed certificate to replace the expired system self-signed certificate, without resetting the firewall.

SYMPTOMS:

The system self-signed certificate has expired and when a new one is manually generated, it still shows the expired date.

CAUSE:

 

SOLUTION:

The process to automatically generate a new system self-signed certificate is to delete the expired system self-signed certificate and then reset the device. A new system self-signed certificate will be automatically generated when the device comes back up.

However, in certain operating environments, resetting the firewall is not an option. In such cases, the process to manually generate a new system self-signed certificate, without resetting the firewall, is provided in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03, in the "Manually Creating Self-Signed Certificates" section.

However, prior to performing this procedure, you have to delete the expired system self-signed certificate:

delete pki object-id system

When the deletion is complete, perform the following procedure, as mentioned in the Concepts & Examples ScreenOS Reference Guide Volume 5: Virtual Private Networks Release 6.2.0, Rev. 03:

    1. Define the certificate attributes:

      set pki x509 dn name 4ssl
      set pki x509 dn org-name abc123
      set pki x509 cert-fqdn www.abc123.com
      save

    2. Generate the public/private key pair. To generate a public/private key pair, which the Juniper Networks security device uses in its certificate request, use the following command:

      exec pki rsa new-key 2048

      After the security device generates a key pair, it composes the following certificate request:

      -----BEGIN CERTIFICATE REQUEST-----
      MIIB0jCCATsCAQAwZTENMAsGA1UEChMESk5QUjEZMBcGA1UEAxMQMDA0MzAyMjAw
      MjAwMDE4NjEQMA4GA1UEAxMHcnNhLWtleTEYMBYGA1UEAxMPd3d3Lmp1bmlwZXIu
      bmV0MQ0wCwYDVQQDEwQ1c3NsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP
      aAtelkL4HxQmO1w1jv9NMmrWnzdVYnGrKrXnw2MaB3xEgouWrlymEkZetA2ouKeA
      D24SL0h1YvJ7Sd9PvkhwHOnvP1zkOCWA84TgvxBzcAyeBnS1UpSwcC0admX0Da6T
      80EUuGrmUWodddRFUc8o5d2VGTUOM7WgcFDZRSGQGwIDAQABoC0wKwYJKoZIhvcN
      AQkOMR4wHDAaBgNVHREEEzARgg93d3cuanVuaXBlci5uZXQwDQYJKoZIhvcNAQEF
      BQADgYEAgvDXI4H905y/2+k4omo9Y4XQrgq44Rj3jqXAYYMgQBd0Q8HoyL5NE3+i
      QUkiYjMTWO2wIWzEr4u/tdAISEVTu03achZa3zIkUtn8sD/VYKhFlyPCBVvMiaHd
      FzIHUgBuMrr+awowJDG6wARhR75w7pORXy7+aAmvIjew8YRre9s=
      -----END CERTIFICATE REQUEST-----

      To learn the ID number for the key pair, use the following command:

      get pki x509 list key-pair

      Getting OTHER PKI OBJECT ...
      IDX ID num X509 Certificate Subject Distinguish Name
      ========================================================
      0000 176095259
      CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      ========================================================

    3. Generate the self-signed certificate. Use the following command, which references the key-pair ID number that was learned from the output of the previous command:

      exec pki x509 self-signed-cert key-pair 176095259 (from output of previous command)

      To view the newly created self-signed certificate, use the following command:

      get pki x509 list local-cert

      Getting LOCAL CERT ...
      IDX ID num X509 Certificate Subject Distinguish Name
      ========================================================
      0000 176095261 LOCAL CERT friendly name <29>
      LOCAL CERT friendly name <29>
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      Expire on 10-19-2009 17:20, Issued By:
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,
      O=jnpr,
      ========================================================

      To view the certificate in more detail, run the following command by using the ID number of the certificate:

      get pki x509 cert 176095261 (from output of previous command)

      -0001 176095261 LOCAL CERT friendly name <29>
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
      Expire on 10-19-2009 17:20, Issued By:
      CN=self-signed,CN=4ssl,CN=www.juniper.net,CN=rsa-key,CN=0043022002000186,O=jnpr,
      Serial Number: <9d1c03365a5caa172ace4f82bb5ec9da>
      subject alt name extension:
      email(1): (empty)
      fqdn(2): (www.juniper.net)
      ipaddr(7): (empty)
      no renew
      finger print (md5) <be9e0280 02bdd9d1 175caf23 6345198e>
      finger print (sha) <87e0eee0 c06f9bac 9098bd02 0e631c1b 26e37e0e>
      subject name hash: <d82be8ae 4e71a576 2e3f06fc a98319a3 5c8c6c27>
      use count: <1>
      flag <00000000>

      You can copy the subject name and fingerprint from this output and communicate it to other administrators who intend to use SSL when managing the security device. When they initiate an SSL connection, they can then use this information to ensure that the certificate they receive is indeed from the security device.

    1. Assign the certificate for use with SSL.To assign the new system self-signed certificate for use with HTTP for SSL, refer to KB11496 - How to change the certificate used for SSL (HTTPS) WebUI Management:

      set ssl enable
      set ssl encrypt "rc4" md5
      set ssl cert-hash "d82be8ae4e71a5762e3f06fca98319a35c8c6c27"       (from hash of previous command)

      To verify this last step:

      get ssl
      web SSL enable.
      web SSL port number(443).
      web SSL cert: initialized.
      Subject DN(CN=self-signed,CN=4ssl,CN=www.abc123.net,CN=rsa-key,CN=0043022002000186,O=abc123)
      web SSL cipher(RC4_MD5).

[ScreenOS] How to manually generate a new system self-signed certificate to replace the expired system self-signed certificate without resetting the firewall的更多相关文章

  1. NHibernate无法将类型“System.Collections.Generic.IList<T>”隐式转换为“System.Collections.Generic.IList<IT>

    API有一个需要实现的抽象方法: public IList<IPermission> GetPermissions(); 需要注意的是IList<IPermission>这个泛 ...

  2. 問題排查:System.BadImageFormatException: 未能加载文件或程序集“System.ServiceModel

    錯誤訊息如下: System.BadImageFormatException: 未能加载文件或程序集“System.ServiceModel, Version=3.0.0.0, Culture=neu ...

  3. HttpClient exception:ExceptionType:System.Threading.Tasks.TaskCanceledException: The operation was canceled. ---> System.IO.IOException: Unable to read data from the transport connection: Operation ca

    error msg: System.Threading.Tasks.TaskCanceledException: The operation was canceled. ---> System. ...

  4. 对于System.Net.Http的学习(一)——System.Net.Http 简介

    System.Net.Http 是微软推出的最新的 HTTP 应用程序的编程接口, 微软称之为“现代化的 HTTP 编程接口”, 主要提供如下内容: 1. 用户通过 HTTP 使用现代化的 Web S ...

  5. 对于System.Net.Http的学习(一)——System.Net.Http 简介(转)

    最新在学习System.Net.Http的知识,看到有篇文章写的十分详细,就想转过来,自己记录下.原地址是http://www.cnblogs.com/chillsrc/p/3439215.html? ...

  6. alter system archive log current作用及和alter system switch logfile区别

    alter system archive log current 是归档当前的重做日志文件,不管自动归档有没有打都归档. alter system switch logfile 是强制日志切换,不一定 ...

  7. System.Collections空间下的Hashtable类与System.Collections.Specialized下的StringDictionary的一点小区别

    哎.有一周没有写自己的博客. 最近在做一个调用web服务的小程序,没有使用c#自动生成的代理类,而是使用http-get.post.以及soap的方式去请求的,使用这http请求这种方式需要自己去拼参 ...

  8. [转]ADT中通过DDMS导入文件出错ddms transfer error: Read-only file system,Failed to push selection: Read-only file system

    [已解决] 原文  http://www.crifan.com/ddms_import_file_error_transfer_error_read_only_file_system/ 想要通过adt ...

  9. Java获取系统环境变量(System Environment Variable)和系统属性(System Properties)以及启动参数的方法

    系统环境变量(System Environment Variable): 在Linux下使用export $ENV=123指定的值.获取的方式如下: Map<String,String> ...

随机推荐

  1. boost多线程编译出错

    添加 -lpthread CPLUS_INCLUDE_PATH=$CPLUS_INCLUDE_PATH:/tools/boost/includeexport CPLUS_INCLUDE_PATH LI ...

  2. ELF程序头部及程序加载

    程序头部 程序头部描述与程序执行直接相关的目标文件结构信息.用来在文件中定位各个段的映像.同时包含其他一些用来为程序创建进程映像所必需的信息. 可执行文件或者共享目标文件的程序头部是一个结构数组,每个 ...

  3. Linux系统中的硬件问题如何排查?(2)

    Linux系统中的硬件问题如何排查?(2) 2013-03-27 10:32 核子可乐译 51CTO.com 字号:T | T 在Linux系统中,对于硬件故障问题的排查可能是计算机管理领域最棘手的工 ...

  4. 在Rails中最方便集成使用Bootstrap的方式

    创建项目 rails new BootstrapProject 创建模型 rails g scaffold xxx --skip-stylesheets 运行迁移 rake db:migrate -- ...

  5. 工作笔记--js-点赞按钮和踩踩按钮互斥??怎么写?

    效果图: html: css: .an{ margin-top:0px; position: relative; .popzframe,.popcframe{ display: none; word- ...

  6. 14. ClustrixDB 高可用性的最佳实践

    本文档详细介绍了最大化ClustrixDB上运行的应用程序正常运行时间的最佳实践.这涵盖了广泛的主题,从环境需求到变更管理程序,所有这些最终都会影响应用程序的可用性.其中许多是您可能已经熟悉的标准最佳 ...

  7. 2. ClustrixDB 文件/参数说明

    一.日志/data/clustrix/log/query.log 记录节点慢SQL/错误SQL/DDL 等信息,节点分开记录 Each entry in the query.log is catego ...

  8. maven项目使用自己创建的jar包--maven without test code

    eclipse版本为2018-12(4.10.0) 1.创建一个jar包 首先自己建立了一个maven project,名为jweb.GAV坐标: <groupId>amberai< ...

  9. PHP入门培训教程 PHP变量及常量

         一.PHP5.4的基本语法格式 1.PHP的分割符 $php=true; //分号结束语句 if($php){ echo "真"; //分号结束语句 } //大括号结束语 ...

  10. BZOJ 2217: [Poi2011]Lollipop 构造 + 思维

    Description 有一个长度为n的序列a1,a2,...,an.其中ai要么是1("W"),要么是2("T").现在有m个询问,每个询问是询问有没有一个连 ...