SUMMARY:

This article provides information on how to change the certificate that is used for SSL (HTTPS) WebUI Management.

SYMPTOMS:

Beginning with ScreenOS 5.1, the firewall creates its own self-signed certificate, which is used for SSL (HTTPS) WebUI management. Customers may want to use their own certificate, which is signed by their own CA (Certificate Authority).

CAUSE:

 

SOLUTION:

    1. Load the CA certificate on the firewall.
    2. Generate a PKCS certificate request for the CA to sign.
    3. Load the local certificate on the firewall.
    4. Via the WebUI, go to Configuration > Admin > Management and change the certificate from Default - System Self-Signed Cert to the Local certificate.
    5. Via the CLI, use the following commands:
      get pki x509 list local-cert
      
get pki x509 cert <ID num>
      
set ssl cert-hash <subject name hash>

      For example:

      ssg5-v92-wlan-> get pki x509 list local-cert
       
      Getting LOCAL CERT ...
      IDX  ID num     X509 Certificate Subject Distinguish Name
      ================================================================================
      0000 233832475  LOCAL CERT friendly name <27>
                      CN=ssg5,CN=ssg5-v92-wlan.jnpr.net,CN=rsa-key,CN=016805200700
                      1695,OU=support,O=juniper,C=US,
                      Expire on 05-08-2009 20:03, Issued By:
                      CN=JTAC,OU=Juniper,OU=net,
      ================================================================================
       
       
      ssg5-v92-wlan-> get pki x509 cert 233832475
      -001 233832475  LOCAL CERT friendly name <27>
                      CN=ssg5,CN=ssg5-v92-wlan.jnpr.net,CN=rsa-key,CN=016805200700
                      1695,OU=support,O=juniper,C=US,
                      Expire on 05-08-2009 20:03, Issued By:
                      CN=JTAC,OU=Juniper,OU=net,
      Serial Number: <6132536c000000000002>
      subject alt name extension:
      email(1): (empty)
      fqdn(2): (ssg5-v92-wlan.jnpr.net)
      ipaddr(7): (empty)
      no renew
      finger print (md5) <da98859d c567dd63 acb3d3d3 ce4c9399>
      finger print (sha) <3ba4a8ff 615ac1cc 80da98fd 9bec017a ba1aa61d>
      subject name hash: <24290b21 3a02baef a29c380d 739f60b6 3c1f54f5>
      obj type: <1>
      use count: <1>
      flag <00000000>
       
      ssg5-v92-wlan-> set ssl enable
      ssg5-v92-wlan-> set ssl encrypt "rc4" md5
      ssg5-v92-wlan-> set ssl cert-hash "24290B213A02BAEFA29C380D739F60B63C1F54F5"

[ScreenOS] How to change the certificate that is used for SSL (HTTPS) WebUI Management的更多相关文章

  1. git clone报错:“server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none”

    I can push by clone project using ssh, but it doesn't work when I clone project with https. it shows ...

  2. InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings In

    InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is s ...

  3. [ScreenOS] How to manually generate a new system self-signed certificate to replace the expired system self-signed certificate without resetting the firewall

    SUMMARY: This article provides information on how to manually generate a new system self-signed cert ...

  4. How To Set Up Apache with a Free Signed SSL Certificate on a VPS

    Prerequisites Before we get started, here are the web tools you need for this tutorial: Google Chrom ...

  5. Generate a Push Certificate

    To send Push notification to an application/device couple you need an unique device token (see the O ...

  6. How to Move SSL certificate from Apache to Tomcat

    https://www.sslsupportdesk.com/how-to-move-ssl-certificate-from-apache-to-tomcat/ Apache uses x509 p ...

  7. PEP 476 -- Enabling certificate verification by default for stdlib http clients

    SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate ch ...

  8. 【Azure Developer - 密钥保管库 】使用 Python Azure SDK 实现从 Azure Key Vault Certificate 中下载证书(PEM文件)

    问题描述 在Azure Key Vault中,我们可以从Azure门户中下载证书PEM文件到本地. 可以通过OpenSSL把PFX文件转换到PEM文件.然后用TXT方式查看内容,操作步骤如下图: Op ...

  9. The encryption certificate of the relying party trust identified by thumbprint is not valid

    CRM2013部署完ADFS后通过url在浏览器中訪问測试是否成功,成功进入登陆界面但在登陆界面输入username和password后始终报身份验证失败,系统中的报错信息例如以下:Microsoft ...

随机推荐

  1. CDN学习记录

    0x00 简介 CDN的全称是Content Delivery Network,即内容分发网络.CDN是构建在现有网络基础之上的智能虚拟网络,依靠部署在各地的边缘服务器,通过中心平台的负载均衡.内容分 ...

  2. Problem 1538 - B - Stones II 贪心+DP

    还是给你石头n枚,每一枚石头有两个值a和b,每取一个石头,除了这块石头其余所有的石头的a就都减去这个石头的b,问你取了的石头的a的总和最大可以为多少? 先按B从大到小排序 然后DP: 取的话:dp[i ...

  3. Yii和ThinkPHP对比心得

    本人小菜鸟一只,为了自我学习和交流PHP(jquery,linux,lamp,shell,javascript,服务器)等一系列的知识,小菜鸟创建了一个群.希望光临本博客的人可以进来交流.寻求共同发展 ...

  4. scrapy中的selenium

    引入 在通过scrapy框架进行某些网站数据爬取的时候,往往会碰到页面动态数据加载的情况发生,如果直接使用scrapy对其url发请求,是绝对获取不到那部分动态加载出来的数据值.但是通过观察我们会发现 ...

  5. HDU-1045-Fire Net(最大匹配)

    链接: https://vjudge.net/problem/HDU-1045#author=zzuli_contest 题意: 假设我们有一个有直街的广场城市.城市地图是一个方形板,有n行和n列,每 ...

  6. 软件的三大类型-单机类型、BS类型、CS类型

    单机类型:最开始的软件就是那些不需要联网的单机软件. CS类型:有的程序需要统一管理软件中使用的数据, 所以就将保存数据的数据库统一存放在一台主机中, 所有的用户在需要数据时都要从主机获取, 这时就分 ...

  7. 查看是否安装jdk及路径

    JDK能否曾经装置,可以在cmd窗口里输出java -version,假定没有提示出错,就表示曾经装置. JDK的装置途径,可以输出java -verbose,会前往很多信息,其中就包括了JDK的装置 ...

  8. TypeScript作为前端开发你必须学习的技能(一)

    2019年,TypeScript已经开始渐渐的崭露头角,各大框架都说要使用TypeScript,虽然现在还没有完美,但是TypeScript很有可能会成为下一个主流技术. 废话就不多说了,直接开始吧. ...

  9. UVa 725 Division (枚举)

    题意 : 输入正整数n,按从小到大的顺序输出所有形如abcde/fghij = n的表达式,其中a-j恰好为数字0-9的一个排列(可以有前导0),2≤n≤79. 分析 : 最暴力的方法莫过于采用数组存 ...

  10. 拨号操作——android.intent.action.CALL

    button_14.setOnClickListener(new View.OnClickListener() {          @Override     public void onClick ...