Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
external-header-nav
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Juniper Apstra Installation and Upgrade Guide Apstra Installation Configure Apstra Server Replace Apstra Server SSL Certificate

Juniper Apstra Installation and Upgrade Guide

keyboard_arrow_up
close
keyboard_arrow_left
Juniper Apstra Installation and Upgrade Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Replace SSL Certificate on Apstra Server with Signed One

date_range 07-Feb-24
arrow_backward
arrow_forward

When you boot up the Apstra server for the first time, a unique self-signed certificate is automatically generated and stored on the Apstra server at /etc/aos/nginx.conf.d (nginx.crt is the public key for the webserver and nginx.key is the private key.) The certificate is used for encrypting the Apstra server and REST API. It's not for any internal device-server connectivity. Since the HTTPS certificate is not retained when you back up the system, you must manually back up the etc/aos folder. We recommend replacing the default SSL certificate. Web server certificate management is the responsibility of the end user. Juniper support is best effort only.

  1. Back up the existing OpenSSL keys.
    content_copy zoom_out_map
    admin@aos-server:/$ sudo -s
[sudo] password for admin:

root@aos-server:/# cd /etc/aos/nginx.conf.d
root@aos-server:/etc/aos/nginx.conf.d# cp nginx.crt nginx.crt.old
root@aos-server:/etc/aos/nginx.conf.d# cp nginx.key nginx.key.old
  2. Create a new OpenSSL private key with the built-in openssl command.
    content_copy zoom_out_map
    root@aos-server:/etc/aos/nginx.conf.d# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
......+++
e is 65537 (0x10001)
    CAUTION:

    Don't modify nginx.crt or nginx.key filenames. They're referred to in nginx.conf. As part of subsequent service upgrades, these files could be replaced, so the filenames must be predictable.

    Also, don't change configuration in nginx.conf, as this file may be replaced during Apstra server upgrade, and any changes you make would be discarded.

  3. Create a certificate signing request. If you want to create a signed SSL certificate with a Subjective Alternative Name (SAN) for your Apstra server HTTPS service, you must manually create an OpenSSL template. For details, see Juniper Support Knowledge Base article KB37299.
    CAUTION:

    If you have created custom OpenSSL configuration files for advanced certificate requests, don't leave them in the Nginx configuration folder. On startup, Nginx will attempt to load them (*.conf), causing a service failure.

    content_copy zoom_out_map
    root@aos-server:/etc/aos/nginx.conf.d# openssl req -new -sha256 -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Menlo Park
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Apstra, Inc
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:aos-server.apstra.com
Email Address []:support@apstra.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  4. Submit your Certificate Signing Request (nginx.csr) to your Certificate Authority. The required steps are outside the scope of this document; CA instructions differ per implementation. Any valid SSL certificate will work. The example below is for self-signing the certificate.
    content_copy zoom_out_map
    root@aos-server:/etc/aos/nginx.conf.d# openssl req -x509 -sha256 -days 3650 -key nginx.key -in nginx.csr -out nginx.crt
root@aos-server:/etc/aos/nginx.conf.d#
  5. Verify that the SSL certificates match: private key, public key, and CSR.
    content_copy zoom_out_map
    root@aos-server:/etc/aos/nginx.conf.d# openssl rsa -noout -modulus -in nginx.key | openssl md5
(stdin)= 60ac4532a708c98d70fee0dbcaab1e75

root@aos-server:/etc/aos/nginx.conf.d# openssl req -noout -modulus -in nginx.csr | openssl md5
(stdin)= 60ac4532a708c98d70fee0dbcaab1e75

root@aos-server:/etc/aos/nginx.conf.d# openssl x509 -noout -modulus -in nginx.crt | openssl md5
(stdin)= 60ac4532a708c98d70fee0dbcaab1e75
  6. To load the new certificate, restart the nginx container.
    content_copy zoom_out_map
    root@aos-server:/etc/aos/nginx.conf.d# docker restart aos_nginx_1
aos_nginx_1
root@aos-server:/etc/aos/nginx.conf.d
  7. Confirm that the new certificate is in your web browser and that the new certificate common name matches 'aos-server.apstra.com'.
arrow_backward PREVIOUS Replace Apstra Server SSL Certificate
NEXT arrow_forward Replace SSL Certificate on Apstra Server with Self-Signed One
external-footer-nav